tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From phishery <phish...@gmail.com>
Subject Re: configuration setting to disable URL sessions?
Date Tue, 19 Sep 2006 18:31:06 GMT

Did anyone ever find a easy/clean way to disable JSESSIONID on a standalone
tomcat server (so not using apache url rewriting)?

Thanks,
R


Chetan Sabnis wrote:
> 
> Is there a way to disable the Tomcat server (5.5) from accepting
> sessions that are sent in the URL using jsessionid?  This would be
> useful in preventing certain session fixation attacks.  Basically, I
> would want sessions to be accepted only if they are sent using a
> cookie.
> 
> Specifically, I am concerned about the following scenario:
> 
> 1) Attacker sends a simple HTTP Get to server
> (http://www.example.com/test).  The server returns a response with a
> Set-Cookie header for JSESSIONID.  Say that this cookie value is 1234.
> 2) Attacker sends victim a link of the form
> http://www.example.com/test;jsessionid=1234
> 3) Victim clicks the link.  The server accepts that its session with
> the victim is 1234 since it is a valid session.
> 4) Victim authenticates to the site (presuming that jessionid is
> preserved in all interactions with the webapp)
> 5) Attacker can impersonate victim since the attacker knows the
> session id of the victim.
> 
> While the victim did make a mistake by clicking on the link, it is
> unlikely that the victim knew the implications of clicking on a link
> with a valid jsessionid in the URL.  This could be prevented at step 3
> by the server rejecting any sessions that are sent via URL.  I have
> not found this option in the docs, and looking through the code, there
> does not appear to be a way to prevent this behavior.
> 
> The "cookies" attribute in the Context element does not change this
> behavior.  Even if "cookies" is set to true, sessions sent in the URL
> are accepted by Tomcat for determining the HttpSession of the request.
> 
> It would be easy to do deny this in a servlet or in a filter by using
> the HttpServletRequest class's isRequestedSessionIdFromCookie()
> method.  However, I was hoping for a way to do this for all webapps
> and all servlets via configuration.  Thoughts?
> 
> Thanks in advance for any help.
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/configuration-setting-to-disable-URL-sessions--tf2235928.html#a6394208
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message