tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Delbecq <>
Subject Re: How to avoid session fixation?
Date Fri, 08 Feb 2008 10:03:02 GMT
I think this is worth submitting a security issue request on tracker, to 
ask that, at least, the container links the requester IP to the session. 
Changing session ID upon login in container would be a good thing imho, 
it would ensure ID become unknown to attacker after login, wouldn't 
destroy user session (keep session, only change it's identifier) and 
would work whatever authentification mecanism is used. Draw back is that 
webapp that rely on session id for some session tracking mecanism would 

btw, you hack is limited to form based authentification, i successfully 
"shared" an authentificated session on tomcat 5.5.7 using http basic 
authentification. One of computer had access to secured ressouce 
whithout ever being prompted for user/pass

En l'instant précis du 08/02/08 10:49, Christoph Lenggenhager 
s'exprimait en ces termes:
> David, Christopher
> Thank you for sharing your thoughts.
> It seems to me that there is no standard solution to this problem, but you
> agree with me that the problem exists.
> As I mentioned before, I came up with a solution that looks promising.
> Here's a rough description, I'd welcome your opinions/concerns:
> - a custom valve contains the whole implementation
> - requests to the servlet/URI "j_security_check" are intercepted
> - for intercepted requests the current session is destroyed
>   and a new one is created:
>   -- snip --
>   ...
>   request.getSession().invalidate();
>   request.getSession(true);
>   ...
>   -- snap --
> - to have a proper redirect to the originally requested page
>   the original request has to be copied from the old session
>   to the new one.
>   I filter out any references to the old session id, although I'm
>   not sure whether this is really necessary.
> Well, first of all, I'm in the comfortable situation that I'm not interested
> in any session attributes that existed before the actual login, so
> this make things easier.
> Furthermore, it's clearly a homemade hack, but it seems to do the job.
> Do you think it's worth to open a bug/feature request concerning this
> issue? For I actually think
> that this is clearly a task the container should take care of.
> Thanks.
> regards,
> christoph
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

-- (a belgian developer's logs)

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message