Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (asf.osuosl.org: domain of indymag@gmail.com designates
 64.233.182.189 as permitted sender)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=Bq88ncsbEIKV5sHjWJHNWkuQiKLycdobIEn86PT3g4qtZoXucnaHsh9N/r54jx85a+VMkgZ4FTJ3C7dU6LP/toujDJLlmPZf9Xv0gwiHGdFjqUAtujEyWaa/42za6pUEpHzwdTqbS7v+FzOzEcOCuYAY6/LwfWCuz/ko5w+jWbg=
Message-ID: <f737394a0609080824ucb38ed2rea023f18346b1ea9@mail.gmail.com>
Date: Fri, 8 Sep 2006 11:24:47 -0400
From: "Chetan Sabnis" <indymag@gmail.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
Subject: Re: configuration setting to disable URL sessions?
In-Reply-To: <20060908142833.70593.qmail@web50303.mail.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <f737394a0609071533o467d3136q6ea6082f0a4a17af@mail.gmail.com>
	 <20060908142833.70593.qmail@web50303.mail.yahoo.com>

Thanks.  While I am using Apache httpd in most cases, the webapp can
be run in IIS if someone chooses to deploy it that way (connected via
mod_jk).  It certainly seems like this is something that should be
controllable from the Tomcat side of things.  Any other suggestions?

Thanks,
Chetan

On 9/8/06, Marc Richards <mjrx20@yahoo.com> wrote:
> If you're using apache httpd as a front end you can
> handle this with a rewrite rule:
>
> RewriteRule (.*);jsessionid.* $1
>
> I do this for a different reason - when my users go to
> the top level url they are redirected to a login page
> that includes the jsessionid in the new url.  They
> then bookmark the page (session id included) and end
> up reusing it.  It is possible (though unlikely) to
> have two users conflict on a single session id this
> way, so I eliminate the possibility entirely.
>
> -marc
>
> --- Chetan Sabnis <indymag@gmail.com> wrote:
>
> > Is there a way to disable the Tomcat server (5.5)
> > from accepting
> > sessions that are sent in the URL using jsessionid?
> > This would be
> > useful in preventing certain session fixation
> > attacks.  Basically, I
> > would want sessions to be accepted only if they are
> > sent using a
> > cookie.
> >
> > Specifically, I am concerned about the following
> > scenario:
> >
> > 1) Attacker sends a simple HTTP Get to server
> > (http://www.example.com/test).  The server returns a
> > response with a
> > Set-Cookie header for JSESSIONID.  Say that this
> > cookie value is 1234.
> > 2) Attacker sends victim a link of the form
> > http://www.example.com/test;jsessionid=1234
> > 3) Victim clicks the link.  The server accepts that
> > its session with
> > the victim is 1234 since it is a valid session.
> > 4) Victim authenticates to the site (presuming that
> > jessionid is
> > preserved in all interactions with the webapp)
> > 5) Attacker can impersonate victim since the
> > attacker knows the
> > session id of the victim.
> >
> > While the victim did make a mistake by clicking on
> > the link, it is
> > unlikely that the victim knew the implications of
> > clicking on a link
> > with a valid jsessionid in the URL.  This could be
> > prevented at step 3
> > by the server rejecting any sessions that are sent
> > via URL.  I have
> > not found this option in the docs, and looking
> > through the code, there
> > does not appear to be a way to prevent this
> > behavior.
> >
> > The "cookies" attribute in the Context element does
> > not change this
> > behavior.  Even if "cookies" is set to true,
> > sessions sent in the URL
> > are accepted by Tomcat for determining the
> > HttpSession of the request.
> >
> > It would be easy to do deny this in a servlet or in
> > a filter by using
> > the HttpServletRequest class's
> > isRequestedSessionIdFromCookie()
> > method.  However, I was hoping for a way to do this
> > for all webapps
> > and all servlets via configuration.  Thoughts?
> >
> > Thanks in advance for any help.
> >
> >
> ---------------------------------------------------------------------
> > To start a new topic, e-mail:
> > users@tomcat.apache.org
> > To unsubscribe, e-mail:
> > users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail:
> > users-help@tomcat.apache.org
> >
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org