tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Richards <>
Subject Re: configuration setting to disable URL sessions?
Date Fri, 08 Sep 2006 14:28:33 GMT
If you're using apache httpd as a front end you can
handle this with a rewrite rule:

RewriteRule (.*);jsessionid.* $1

I do this for a different reason - when my users go to
the top level url they are redirected to a login page
that includes the jsessionid in the new url.  They
then bookmark the page (session id included) and end
up reusing it.  It is possible (though unlikely) to
have two users conflict on a single session id this
way, so I eliminate the possibility entirely.


--- Chetan Sabnis <> wrote:

> Is there a way to disable the Tomcat server (5.5)
> from accepting
> sessions that are sent in the URL using jsessionid? 
> This would be
> useful in preventing certain session fixation
> attacks.  Basically, I
> would want sessions to be accepted only if they are
> sent using a
> cookie.
> Specifically, I am concerned about the following
> scenario:
> 1) Attacker sends a simple HTTP Get to server
> (  The server returns a
> response with a
> Set-Cookie header for JSESSIONID.  Say that this
> cookie value is 1234.
> 2) Attacker sends victim a link of the form
> 3) Victim clicks the link.  The server accepts that
> its session with
> the victim is 1234 since it is a valid session.
> 4) Victim authenticates to the site (presuming that
> jessionid is
> preserved in all interactions with the webapp)
> 5) Attacker can impersonate victim since the
> attacker knows the
> session id of the victim.
> While the victim did make a mistake by clicking on
> the link, it is
> unlikely that the victim knew the implications of
> clicking on a link
> with a valid jsessionid in the URL.  This could be
> prevented at step 3
> by the server rejecting any sessions that are sent
> via URL.  I have
> not found this option in the docs, and looking
> through the code, there
> does not appear to be a way to prevent this
> behavior.
> The "cookies" attribute in the Context element does
> not change this
> behavior.  Even if "cookies" is set to true,
> sessions sent in the URL
> are accepted by Tomcat for determining the
> HttpSession of the request.
> It would be easy to do deny this in a servlet or in
> a filter by using
> the HttpServletRequest class's
> isRequestedSessionIdFromCookie()
> method.  However, I was hoping for a way to do this
> for all webapps
> and all servlets via configuration.  Thoughts?
> Thanks in advance for any help.
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message