tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Haszlakiewicz <...@swapsimple.com>
Subject Re: configuration setting to disable URL sessions?
Date Sun, 10 Sep 2006 03:47:54 GMT
On Thu, Sep 07, 2006 at 06:33:41PM -0400, Chetan Sabnis wrote:
> Is there a way to disable the Tomcat server (5.5) from accepting
> sessions that are sent in the URL using jsessionid?  This would be
> useful in preventing certain session fixation attacks.  Basically, I
> would want sessions to be accepted only if they are sent using a
> cookie.
> 
> Specifically, I am concerned about the following scenario:
> 
> 1) Attacker sends a simple HTTP Get to server
> (http://www.example.com/test).  The server returns a response with a
> Set-Cookie header for JSESSIONID.  Say that this cookie value is 1234.
> 2) Attacker sends victim a link of the form
> http://www.example.com/test;jsessionid=1234
> 3) Victim clicks the link.  The server accepts that its session with
> the victim is 1234 since it is a valid session.
> 4) Victim authenticates to the site (presuming that jessionid is
> preserved in all interactions with the webapp)

	4a) site login action calls session.invalidate() followed by
	     request.getSession() to get a new session to defeat this attack.

> 5) Attacker can impersonate victim since the attacker knows the
> session id of the victim.
> 

Or, you could write a filter that checks request.isRequestedSessionIdFromURL()
and invalidates the session if it is.  btw, if there is a cookie set, that
overrides anything provided in the url.

eric

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message