tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian" <bbprefix-m...@yahoo.com>
Subject RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
Date Mon, 11 Oct 2010 00:01:34 GMT
Thanks!
It was as easy as Googling the subject, but I didn't know what was exactly
the name of it.

> -----Original Message-----
> From: Ken Bowen [mailto:kbowen@als.com]
> Sent: Sunday, October 10, 2010 05:52 PM
> To: Tomcat Users List
> Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29?
> 
> Google "session fixation" -->
http://en.wikipedia.org/wiki/Session_fixation
> 
> On Oct 10, 2010, at 6:24 PM, Brian wrote:
> 
> > Mark,
> >
> > I'm not using either "basic" or "form". I developed my own solution,
> > which works great for me.
> > Assuming that the "session fixation" is my problem, what would you
> > suggest me to do? Is there any web page on the internet that explains
the
> issue?
> >
> >
> >
> >> -----Original Message-----
> >> From: Mark Thomas [mailto:markt@apache.org]
> >> Sent: Sunday, October 10, 2010 03:09 PM
> >> To: Tomcat Users List
> >> Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29?
> >>
> >> On 10/10/2010 20:59, Brian wrote:
> >>> Hi Mark,
> >>>
> >>> Do you understand exactly what vulnerability are they talking about?
> >>
> >> No. It doesn't make much sense to me at the minute. I'd ask for more
> > specific
> >> information.
> >>
> >>> For
> >>> some reason, they have determined that I have it, even though I'm
> >>> not using Jrun but they wrongly assume I am.
> >>
> >> Looks like it so far. It all depends how they are detecting the
> > vulnerability. It
> >> could be a false positive but there isn't enough information to tell.
> >>
> >>> What do you mean exactly with "app managing its own authentication"?
> >>> Sorry if it is a dumb question.
> >>
> >> If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat
> >> will
> > change
> >> the session ID on authentication and therefore protect against
> >> session
> > fixation.
> >>
> >> If the app has its own authentication mechanism it is possible that
> >> the
> > session ID
> >> will not be changed on authentication creating the possibility for a
> > session
> >> fixation attack.
> >>
> >>> I found this on Google, and now that I read it I realize they are
> >>> quoting you!  :-)
> >>> http://www.developer.com/java/web/article.php/3904871/Top-7-
> Features
> >>> -i
> >>> n-Tomc
> >>> at-7-The-New-and-the-Improved.htm
> >>> Is this the same subject?
> >>
> >> Yep, although that is looking at Tomcat 7. The session fixation
> >> protection
> > (along
> >> with a handle of other things originally developed for Tomcat 7) got
> > back-ported
> >> to Tomcat 6.
> >>
> >> Mark
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message