tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: How to avoid session fixation?
Date Wed, 06 Feb 2008 22:52:49 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David,

david delbecq wrote:
| Sorry Christopher, but i tried at work, it's very easy to force a user
| to use a specific sessionid, and later use yourself that session id to
| gain that user's credential, and for the whole session there is only one
| login, the one from the user you attempt to hijack.

Right, I knew that Tomcat was vulnerable to session hijacking.

| As such, tomcat is
| vulnerable to session fixation issues. Tomcat does not check where the
| session originates from (IP of requester is not associated with
| session). By passing a ;jssessionid=.... to a url and asking someone to
| "check something on that url", you can, after that user logged in, use
| yourself the same url to gain that user's credential.

Perhaps I misread the Session Fixation idea. I thought it was:

1. Login as a low-privileged user
2. Return that browser to the login page without logging-out
3. Convince a higher-privileged user to login using the same session
4. Hijack the session in another browser

I believe this scenario is not possible in Tomcat due to the
restrictions I outlined in my previous message.

On the other hand, skipping #1 and /not/ logging-in as a a lowly user
first /will/ allow session hijacking.

I believe the only way to prevent Session Fixation is to switch-up
sessions at authentication time. I suppose a container-based
implementation could change the id of the session and keep the physical
session in-tact. Non-container strategies would have to move any
relevant data from the untrusted session to the newly created session.
That might have odd consequences for objects that implement
SessionBindingListener and expect that removal from a session is the end
of the session.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEUEARECAAYFAkeqOkAACgkQ9CaO5/Lv0PDDFACeJKbBCBe5Wu762rofwzJ5GyYJ
1q0AmN3QOhYEFasv++++mKFaVa+SiBo=
=4j+K
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message