tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Haszlakiewicz <>
Subject Re: configuration setting to disable URL sessions?
Date Sun, 10 Sep 2006 03:47:54 GMT
On Thu, Sep 07, 2006 at 06:33:41PM -0400, Chetan Sabnis wrote:
> Is there a way to disable the Tomcat server (5.5) from accepting
> sessions that are sent in the URL using jsessionid?  This would be
> useful in preventing certain session fixation attacks.  Basically, I
> would want sessions to be accepted only if they are sent using a
> cookie.
> Specifically, I am concerned about the following scenario:
> 1) Attacker sends a simple HTTP Get to server
> (  The server returns a response with a
> Set-Cookie header for JSESSIONID.  Say that this cookie value is 1234.
> 2) Attacker sends victim a link of the form
> 3) Victim clicks the link.  The server accepts that its session with
> the victim is 1234 since it is a valid session.
> 4) Victim authenticates to the site (presuming that jessionid is
> preserved in all interactions with the webapp)

	4a) site login action calls session.invalidate() followed by
	     request.getSession() to get a new session to defeat this attack.

> 5) Attacker can impersonate victim since the attacker knows the
> session id of the victim.

Or, you could write a filter that checks request.isRequestedSessionIdFromURL()
and invalidates the session if it is.  btw, if there is a cookie set, that
overrides anything provided in the url.


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message