Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 96374 invoked from network); 11 Feb 2008 20:33:34 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 11 Feb 2008 20:33:34 -0000 Received: (qmail 30995 invoked by uid 500); 11 Feb 2008 20:33:15 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 30968 invoked by uid 500); 11 Feb 2008 20:33:15 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 30957 invoked by uid 99); 11 Feb 2008 20:33:15 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Feb 2008 12:33:15 -0800 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [76.96.30.24] (HELO QMTA02.emeryville.ca.mail.comcast.net) (76.96.30.24) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Feb 2008 20:32:29 +0000 Received: from OMTA12.emeryville.ca.mail.comcast.net ([76.96.30.44]) by QMTA02.emeryville.ca.mail.comcast.net with comcast id oLGk1Y00L0x6nqcA204J00; Mon, 11 Feb 2008 20:32:37 +0000 Received: from [192.168.1.101] ([68.50.0.179]) by OMTA12.emeryville.ca.mail.comcast.net with comcast id oLYn1Y0083rjQ2C8Y00000; Mon, 11 Feb 2008 20:32:48 +0000 X-Authority-Analysis: v=1.0 c=1 a=xe8BsctaAAAA:8 a=XquIyHK8xHrsdyceIYUA:9 a=oLoU2ZI4f5WRqO2Hx3sA:7 a=MS-66F7ZFg_Y5URlGk-Aq1Q972cA:4 a=rPt6xJ-oxjAA:10 Message-ID: <47B0B0EF.5060905@christopherschultz.net> Date: Mon, 11 Feb 2008 15:32:47 -0500 From: Christopher Schultz User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: How to avoid session fixation? References: <47AA15AC.2080502@christopherschultz.net> <47AA2B3C.9040103@oma.be> <47AA3A41.90404@christopherschultz.net> <47AC28D6.3010702@oma.be> In-Reply-To: <47AC28D6.3010702@oma.be> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David, David Delbecq wrote: | I think this is worth submitting a security issue request on tracker, | to ask that, at least, the container links the requester IP to the | session. I'm pretty sure that nobody will want to do this -- at least not without the ability to turn the feature off. You'll break a lot of users if you require session id <-> ip address matching. | Changing session ID upon login in container would be a good thing | imho, it would ensure ID become unknown to attacker after login, | wouldn't destroy user session (keep session, only change it's | identifier) and would work whatever authentication mechanism is used. | I completely agree. Christopher, I think your valve might be more attractive if it was able to change the id of the session and leave it at that. I'm not familiar enough with the Tomcat API to know if this is possible and/or a good idea. | Draw back is that webapp that rely on session id for some session | tracking mechanism would break. True, although most webapps probably use whatever session id is currently in use. If you did a lot of AJAX where the session id available to the page becomes out-of-date after a login, you will have to make special considerations for that. I think you'll find that this is not much of a problem. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkewsO8ACgkQ9CaO5/Lv0PBWXQCggsMZA1AGkdzSDvBmYeHC2JED iU4An15g6IGrG/yU4mgWokKnVkXdnW0O =eLbx -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org