tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: JSESSIONID weakness Severity in Tomcat 6.0.29?
Date Sun, 10 Oct 2010 20:09:03 GMT
On 10/10/2010 20:59, Brian wrote:
> Hi Mark,
> Do you understand exactly what vulnerability are they talking about?

No. It doesn't make much sense to me at the minute. I'd ask for more
specific information.

> For
> some reason, they have determined that I have it, even though I'm not using
> Jrun but they wrongly assume I am.

Looks like it so far. It all depends how they are detecting the
vulnerability. It could be a false positive but there isn't enough
information to tell.

> What do you mean exactly with "app managing its own authentication"? Sorry
> if it is a dumb question.

If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat will
change the session ID on authentication and therefore protect against
session fixation.

If the app has its own authentication mechanism it is possible that the
session ID will not be changed on authentication creating the
possibility for a session fixation attack.

> I found this on Google, and now that I read it I realize they are quoting
> you!  :-)
> at-7-The-New-and-the-Improved.htm
> Is this the same subject?

Yep, although that is looking at Tomcat 7. The session fixation
protection (along with a handle of other things originally developed for
Tomcat 7) got back-ported to Tomcat 6.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message