tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: How to avoid session fixation?
Date Wed, 06 Feb 2008 22:52:49 GMT
Hash: SHA1


david delbecq wrote:
| Sorry Christopher, but i tried at work, it's very easy to force a user
| to use a specific sessionid, and later use yourself that session id to
| gain that user's credential, and for the whole session there is only one
| login, the one from the user you attempt to hijack.

Right, I knew that Tomcat was vulnerable to session hijacking.

| As such, tomcat is
| vulnerable to session fixation issues. Tomcat does not check where the
| session originates from (IP of requester is not associated with
| session). By passing a ;jssessionid=.... to a url and asking someone to
| "check something on that url", you can, after that user logged in, use
| yourself the same url to gain that user's credential.

Perhaps I misread the Session Fixation idea. I thought it was:

1. Login as a low-privileged user
2. Return that browser to the login page without logging-out
3. Convince a higher-privileged user to login using the same session
4. Hijack the session in another browser

I believe this scenario is not possible in Tomcat due to the
restrictions I outlined in my previous message.

On the other hand, skipping #1 and /not/ logging-in as a a lowly user
first /will/ allow session hijacking.

I believe the only way to prevent Session Fixation is to switch-up
sessions at authentication time. I suppose a container-based
implementation could change the id of the session and keep the physical
session in-tact. Non-container strategies would have to move any
relevant data from the untrusted session to the newly created session.
That might have odd consequences for objects that implement
SessionBindingListener and expect that removal from a session is the end
of the session.

- -chris
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message