tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ken Bowen <kbo...@als.com>
Subject Re: JSESSIONID weakness Severity in Tomcat 6.0.29?
Date Sun, 10 Oct 2010 22:51:36 GMT
Google "session fixation" -->  http://en.wikipedia.org/wiki/Session_fixation

On Oct 10, 2010, at 6:24 PM, Brian wrote:

> Mark,
> 
> I'm not using either "basic" or "form". I developed my own solution, which
> works great for me.
> Assuming that the "session fixation" is my problem, what would you suggest
> me to do? Is there any web page on the internet that explains the issue?
> 
> 
> 
>> -----Original Message-----
>> From: Mark Thomas [mailto:markt@apache.org]
>> Sent: Sunday, October 10, 2010 03:09 PM
>> To: Tomcat Users List
>> Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29?
>> 
>> On 10/10/2010 20:59, Brian wrote:
>>> Hi Mark,
>>> 
>>> Do you understand exactly what vulnerability are they talking about?
>> 
>> No. It doesn't make much sense to me at the minute. I'd ask for more
> specific
>> information.
>> 
>>> For
>>> some reason, they have determined that I have it, even though I'm not
>>> using Jrun but they wrongly assume I am.
>> 
>> Looks like it so far. It all depends how they are detecting the
> vulnerability. It
>> could be a false positive but there isn't enough information to tell.
>> 
>>> What do you mean exactly with "app managing its own authentication"?
>>> Sorry if it is a dumb question.
>> 
>> If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat will
> change
>> the session ID on authentication and therefore protect against session
> fixation.
>> 
>> If the app has its own authentication mechanism it is possible that the
> session ID
>> will not be changed on authentication creating the possibility for a
> session
>> fixation attack.
>> 
>>> I found this on Google, and now that I read it I realize they are
>>> quoting you!  :-)
>>> http://www.developer.com/java/web/article.php/3904871/Top-7-Features-i
>>> n-Tomc
>>> at-7-The-New-and-the-Improved.htm
>>> Is this the same subject?
>> 
>> Yep, although that is looking at Tomcat 7. The session fixation protection
> (along
>> with a handle of other things originally developed for Tomcat 7) got
> back-ported
>> to Tomcat 6.
>> 
>> Mark
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message