tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From phishery <>
Subject Re: configuration setting to disable URL sessions?
Date Tue, 19 Sep 2006 18:31:06 GMT

Did anyone ever find a easy/clean way to disable JSESSIONID on a standalone
tomcat server (so not using apache url rewriting)?


Chetan Sabnis wrote:
> Is there a way to disable the Tomcat server (5.5) from accepting
> sessions that are sent in the URL using jsessionid?  This would be
> useful in preventing certain session fixation attacks.  Basically, I
> would want sessions to be accepted only if they are sent using a
> cookie.
> Specifically, I am concerned about the following scenario:
> 1) Attacker sends a simple HTTP Get to server
> (  The server returns a response with a
> Set-Cookie header for JSESSIONID.  Say that this cookie value is 1234.
> 2) Attacker sends victim a link of the form
> 3) Victim clicks the link.  The server accepts that its session with
> the victim is 1234 since it is a valid session.
> 4) Victim authenticates to the site (presuming that jessionid is
> preserved in all interactions with the webapp)
> 5) Attacker can impersonate victim since the attacker knows the
> session id of the victim.
> While the victim did make a mistake by clicking on the link, it is
> unlikely that the victim knew the implications of clicking on a link
> with a valid jsessionid in the URL.  This could be prevented at step 3
> by the server rejecting any sessions that are sent via URL.  I have
> not found this option in the docs, and looking through the code, there
> does not appear to be a way to prevent this behavior.
> The "cookies" attribute in the Context element does not change this
> behavior.  Even if "cookies" is set to true, sessions sent in the URL
> are accepted by Tomcat for determining the HttpSession of the request.
> It would be easy to do deny this in a servlet or in a filter by using
> the HttpServletRequest class's isRequestedSessionIdFromCookie()
> method.  However, I was hoping for a way to do this for all webapps
> and all servlets via configuration.  Thoughts?
> Thanks in advance for any help.
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View this message in context:
Sent from the Tomcat - User mailing list archive at

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message