tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrea Corti <ilgrandemazin...@gmail.com>
Subject Re: Session Invalidate not working on HTTPS ( Tomcat 6.0.29 )
Date Tue, 30 Nov 2010 14:53:21 GMT
Hi, i discovered that (perhaps) the problem raise in the following rows in
the Request class:

        // Attempt to reuse session id if one was submitted in a cookie
        // Do not reuse the session id if it is from a URL, to prevent
possible
        // phishing attacks
        if (connector.getEmptySessionPath()
                && isRequestedSessionIdFromCookie()) {
            session = manager.createSession(getRequestedSessionId());
        } else {
            session = manager.createSession(null);
        }

I have an empty sessionpath =true and the sessionid is stored in the
jsessionid cookie so the code goes in the first if reusing the sessionid.
I don't understand very well the comment in the code where it says "Attempt
to reuse session id if one was submitted in a cookie"; is there any reason
for this?
Is it correct to comment this if statement in order to always call the
createSession(null) or is there another way in order to workaround this?

Thanks in advance.

Andrea



2010/11/30 Andrea Corti <ilgrandemazinger@gmail.com>

> Yes, I have emptySessionPath=true  in connectors; is this the issue?
>
> Thanks for the link, now i'm trying to debug in order to find some more
> details for you experts.
>
> Thanks.
>
> 2010/11/30 Konstantin Kolinko <knst.kolinko@gmail.com>
>
> >> > Follows an extract form a test servlet:
>> >> >         HttpSession s = req.getSession();
>> >> >         if (s==null) {
>> >> >             System.out.println(mt+":Session is null");
>> >> >         } else {
>> >> >             System.out.println(mt+":Session id="+s.getId()+"\t
>> >> > New="+s.isNew());
>> >> >         }
>> >> >         System.out.println("pre- invalidate");
>> >> >         s.invalidate();
>> >> >         System.out.println("post- invalidate: id="+s.getId());
>> >> >         s = req.getSession(true);
>> >> >         System.out.println("post- get new: id="+s.getId());
>> >>
>> >> Okay, what does the above servlet print when you access it via HTTP,
>> and
>> >> then access it via HTTPS?
>> >>
>> >
>> > HTTP Output:
>> > POST:Session id=F5FAF6115F7BA37ECDA22299C9B3B4BC     New=true
>> > pre- invalidate
>> > sessionDestroyed [F5FAF6115F7BA37ECDA22299C9B3B4BC] <-- this log is
>> printed
>> > by a HttpSessionListener
>> > post- invalidate: id=F5FAF6115F7BA37ECDA22299C9B3B4BC
>> > sessionCreated [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is
>> printed by
>> > a HttpSessionListener
>> > post- get new: id=36BA1CCC7AEC8A9808027D57B6A5A52A
>> >
>> > We can notice that the session id after the GetSession(true) is
>> different
>> > from the previous one.
>> >
>> > HTTPS Output:
>> > POST:Session id=36BA1CCC7AEC8A9808027D57B6A5A52A     New=false
>> > pre- invalidate
>> > sessionDestroyed [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is
>> printed
>> > by a HttpSessionListener
>> > post- invalidate: id=36BA1CCC7AEC8A9808027D57B6A5A52A
>> > sessionCreated [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is
>> printed by
>> > a HttpSessionListener
>> > post- get new: id=36BA1CCC7AEC8A9808027D57B6A5A52A
>> >
>> > In this case the session id is always the same!
>> >
>>
>> Do you, by a chance, have emptySessionPath=true on your Connector?
>>
>> > I saw that between release 28
>> > and 29 the following class has been changed but i'm not able to debug
>> it.
>> > java\org\apache\catalina\connector\Response.java (method
>> > addSessionCookieInternal)
>>
>> http://wiki.apache.org/tomcat/FAQ/Developing
>>
>> Best regards,
>> Konstantin Kolinko
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message