tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian" <bbprefix-m...@yahoo.com>
Subject RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
Date Sun, 10 Oct 2010 22:24:43 GMT
Mark,

I'm not using either "basic" or "form". I developed my own solution, which
works great for me.
Assuming that the "session fixation" is my problem, what would you suggest
me to do? Is there any web page on the internet that explains the issue?



> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: Sunday, October 10, 2010 03:09 PM
> To: Tomcat Users List
> Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29?
> 
> On 10/10/2010 20:59, Brian wrote:
> > Hi Mark,
> >
> > Do you understand exactly what vulnerability are they talking about?
> 
> No. It doesn't make much sense to me at the minute. I'd ask for more
specific
> information.
> 
> > For
> > some reason, they have determined that I have it, even though I'm not
> > using Jrun but they wrongly assume I am.
> 
> Looks like it so far. It all depends how they are detecting the
vulnerability. It
> could be a false positive but there isn't enough information to tell.
> 
> > What do you mean exactly with "app managing its own authentication"?
> > Sorry if it is a dumb question.
> 
> If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat will
change
> the session ID on authentication and therefore protect against session
fixation.
> 
> If the app has its own authentication mechanism it is possible that the
session ID
> will not be changed on authentication creating the possibility for a
session
> fixation attack.
> 
> > I found this on Google, and now that I read it I realize they are
> > quoting you!  :-)
> > http://www.developer.com/java/web/article.php/3904871/Top-7-Features-i
> > n-Tomc
> > at-7-The-New-and-the-Improved.htm
> > Is this the same subject?
> 
> Yep, although that is looking at Tomcat 7. The session fixation protection
(along
> with a handle of other things originally developed for Tomcat 7) got
back-ported
> to Tomcat 6.
> 
> Mark
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message