tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: How to avoid session fixation? [securityfilter-specific response]
Date Wed, 06 Feb 2008 22:57:03 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

Christopher Schultz wrote:
| This is interesting for the securityfilter project, which DOES allow
| drive-by logins. Hmm. I'll have to think about this one. Thanks!

I checked, and a login attempt on an existing authenticated session
results in securityfilter destroying the existing session and creating a
new one for the new login.

Existing sessions with NO authentication information are preserved,
which means that securityfilter is also vulnerable to Session Fixation
(which is essentially informed-session-hijacking).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkeqOz8ACgkQ9CaO5/Lv0PDDWwCfcBx1ICpXnE15Wjb+H/H8l/qm
HN0An2Reti6iy5ryEqRaIY1gbb6Vc3Gt
=hjZf
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message