tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian" <>
Subject RE: JSESSIONID weakness Severity in Tomcat 6.0.29?
Date Mon, 11 Oct 2010 16:06:04 GMT
Hi Mark,

Well, it seems that got crazy! They already told me
that they made some changes in their system, and now they are having
problems (bugs).
I was just asking myself: How can their automatized procedure know if I am
vulnerable to the session fixation problem, if it doesnt know a valid
user+password, so it is not being able to actually login to my system?

Anyway, something good came from this: I realized that actually my system
was not safe to session fixation. After the login process, it was not
invalidating the session and creating a new one. Now it is. I just had to
program the system to save the attributes, invalidadte the current session,
create a new one, and recreate the attributes. Fortunately, Tomcat generates
a new session ID for the new session. It seems that it was not happening in
the previous versions of Tomcat and in other containers (according to what I
have read in some forums), but now it is.

Thanks for all your help!

> -----Original Message-----
> From: Mark Thomas []
> Sent: Sunday, October 10, 2010 03:09 PM
> To: Tomcat Users List
> Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29?
> On 10/10/2010 20:59, Brian wrote:
> > Hi Mark,
> >
> > Do you understand exactly what vulnerability are they talking about?
> No. It doesn't make much sense to me at the minute. I'd ask for more
> information.
> > For
> > some reason, they have determined that I have it, even though I'm not
> > using Jrun but they wrongly assume I am.
> Looks like it so far. It all depends how they are detecting the
vulnerability. It
> could be a false positive but there isn't enough information to tell.
> > What do you mean exactly with "app managing its own authentication"?
> > Sorry if it is a dumb question.
> If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat will
> the session ID on authentication and therefore protect against session
> If the app has its own authentication mechanism it is possible that the
session ID
> will not be changed on authentication creating the possibility for a
> fixation attack.
> > I found this on Google, and now that I read it I realize they are
> > quoting you!  :-)
> >
> > n-Tomc
> > at-7-The-New-and-the-Improved.htm
> > Is this the same subject?
> Yep, although that is looking at Tomcat 7. The session fixation protection
> with a handle of other things originally developed for Tomcat 7) got
> to Tomcat 6.
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message