tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: How to avoid session fixation?
Date Wed, 06 Feb 2008 20:16:44 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christoph,

Christoph Lenggenhager wrote:
| I'm currently trying to find a way to fight "Session Fixation"
| (http://www.owasp.org/index.php/Session_Fixation) in tomcat when using
| the built -in mechanisms to authenticate users of a servlet.

I don't believe that Tomcat suffers from this problem. Without trying
it, I would imagine that a user cannot authenticate twice using the
built-in mechanism.

When a remote user requests a protected resource, Tomcat checks to see
if the user has authenticated already. If she has, Tomcat checks for
authorization. If the user is not authorized, the request is rejected.

If the user was not authenticated, the user is challenged for
authentication and the process picks up after authentication.

If a login request comes in without Tomcat expecting it, the request is
rejected.

Ergo, there's no way to login once and then expect someone to login
afterward.

If you are using your own authenticator, then this could be a problem.

| In the
| environment in question, an own realm implementation is in place and
| we use the SingleSignOn feature as well.

Have you demonstrated this problem in your own environment? If so, how
did you do it?

| Or is it in fact not a problem at all?

See above.

| A common solution to fix the problem is to renew the session (or at
| least it's id) right before/after the user is authenticated (i.e. in
| the same request). I came up with a custom valve that kind of does the
| job, but I'm really not sure whether this is the way to go or if I'm
| messing too much with tomcat internals.

I would make sure it's a problem first, and then fix it.

This is interesting for the securityfilter project, which DOES allow
drive-by logins. Hmm. I'll have to think about this one. Thanks!

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkeqFawACgkQ9CaO5/Lv0PDMIQCfdE5LNfTtW1ZifQmW9us9QkuB
qFEAnRkWyeRSII8qJ4noef5uzzQ6u6tl
=YRiq
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message