tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chetan Sabnis" <>
Subject configuration setting to disable URL sessions?
Date Thu, 07 Sep 2006 22:33:41 GMT
Is there a way to disable the Tomcat server (5.5) from accepting
sessions that are sent in the URL using jsessionid?  This would be
useful in preventing certain session fixation attacks.  Basically, I
would want sessions to be accepted only if they are sent using a

Specifically, I am concerned about the following scenario:

1) Attacker sends a simple HTTP Get to server
(  The server returns a response with a
Set-Cookie header for JSESSIONID.  Say that this cookie value is 1234.
2) Attacker sends victim a link of the form;jsessionid=1234
3) Victim clicks the link.  The server accepts that its session with
the victim is 1234 since it is a valid session.
4) Victim authenticates to the site (presuming that jessionid is
preserved in all interactions with the webapp)
5) Attacker can impersonate victim since the attacker knows the
session id of the victim.

While the victim did make a mistake by clicking on the link, it is
unlikely that the victim knew the implications of clicking on a link
with a valid jsessionid in the URL.  This could be prevented at step 3
by the server rejecting any sessions that are sent via URL.  I have
not found this option in the docs, and looking through the code, there
does not appear to be a way to prevent this behavior.

The "cookies" attribute in the Context element does not change this
behavior.  Even if "cookies" is set to true, sessions sent in the URL
are accepted by Tomcat for determining the HttpSession of the request.

It would be easy to do deny this in a servlet or in a filter by using
the HttpServletRequest class's isRequestedSessionIdFromCookie()
method.  However, I was hoping for a way to do this for all webapps
and all servlets via configuration.  Thoughts?

Thanks in advance for any help.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message