tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chetan Sabnis" <indy...@gmail.com>
Subject Re: configuration setting to disable URL sessions?
Date Fri, 08 Sep 2006 15:24:47 GMT
Thanks.  While I am using Apache httpd in most cases, the webapp can
be run in IIS if someone chooses to deploy it that way (connected via
mod_jk).  It certainly seems like this is something that should be
controllable from the Tomcat side of things.  Any other suggestions?

Thanks,
Chetan

On 9/8/06, Marc Richards <mjrx20@yahoo.com> wrote:
> If you're using apache httpd as a front end you can
> handle this with a rewrite rule:
>
> RewriteRule (.*);jsessionid.* $1
>
> I do this for a different reason - when my users go to
> the top level url they are redirected to a login page
> that includes the jsessionid in the new url.  They
> then bookmark the page (session id included) and end
> up reusing it.  It is possible (though unlikely) to
> have two users conflict on a single session id this
> way, so I eliminate the possibility entirely.
>
> -marc
>
> --- Chetan Sabnis <indymag@gmail.com> wrote:
>
> > Is there a way to disable the Tomcat server (5.5)
> > from accepting
> > sessions that are sent in the URL using jsessionid?
> > This would be
> > useful in preventing certain session fixation
> > attacks.  Basically, I
> > would want sessions to be accepted only if they are
> > sent using a
> > cookie.
> >
> > Specifically, I am concerned about the following
> > scenario:
> >
> > 1) Attacker sends a simple HTTP Get to server
> > (http://www.example.com/test).  The server returns a
> > response with a
> > Set-Cookie header for JSESSIONID.  Say that this
> > cookie value is 1234.
> > 2) Attacker sends victim a link of the form
> > http://www.example.com/test;jsessionid=1234
> > 3) Victim clicks the link.  The server accepts that
> > its session with
> > the victim is 1234 since it is a valid session.
> > 4) Victim authenticates to the site (presuming that
> > jessionid is
> > preserved in all interactions with the webapp)
> > 5) Attacker can impersonate victim since the
> > attacker knows the
> > session id of the victim.
> >
> > While the victim did make a mistake by clicking on
> > the link, it is
> > unlikely that the victim knew the implications of
> > clicking on a link
> > with a valid jsessionid in the URL.  This could be
> > prevented at step 3
> > by the server rejecting any sessions that are sent
> > via URL.  I have
> > not found this option in the docs, and looking
> > through the code, there
> > does not appear to be a way to prevent this
> > behavior.
> >
> > The "cookies" attribute in the Context element does
> > not change this
> > behavior.  Even if "cookies" is set to true,
> > sessions sent in the URL
> > are accepted by Tomcat for determining the
> > HttpSession of the request.
> >
> > It would be easy to do deny this in a servlet or in
> > a filter by using
> > the HttpServletRequest class's
> > isRequestedSessionIdFromCookie()
> > method.  However, I was hoping for a way to do this
> > for all webapps
> > and all servlets via configuration.  Thoughts?
> >
> > Thanks in advance for any help.
> >
> >
> ---------------------------------------------------------------------
> > To start a new topic, e-mail:
> > users@tomcat.apache.org
> > To unsubscribe, e-mail:
> > users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail:
> > users-help@tomcat.apache.org
> >
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message