tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shanti Suresh <sha...@umich.edu>
Subject Re: Security issue regarding JSESSIONID cookie
Date Fri, 28 Sep 2012 16:37:57 GMT
Hi Joan,

"<tracking-mode>cookie</tracking-mode>", from my understanding, uses the
SSL session-ID as the cookie-value in the Tomcat container.  This value
will be different from what Apache assigns on the front-end SSL connection
to the browser (as Konstantin pointed out).  With tracking-mode COOKIE, I
believe, a JSESSIONID cookie is created and used.

If the "<tracking-mode>cookie</tracking-mode>" setting does the trick, then
a more secure configuration may be:

----a better web.xml:-----
<session-config>
<cookie-config><secure>true</secure></cookie-config>
<tracking-mode>cookie</tracking-mode>
</session-config>
----------------

The above configuration makes sure that a cookie is set only on an HTTPS
connection coming into Tomcat.

And in general, an even better one would be:

---------- web.xml:------
<session-config>
<cookie-config><secure>true</secure></cookie-config>
<cookie-config><httponly>true</http-only></cookie-config>
<tracking-mode>cookie</tracking-mode>
</session-config>
----------------------------------

What the above configuration does is that it prevents any malicious
client-side code from accessing the cookie and thereby misusing it against
your service..

Thanks.

                     -Shanti

On Fri, Sep 28, 2012 at 11:51 AM, Joan Morales <joan.ula@gmail.com> wrote:

> I put the
> <tracking-mode>SSL</tracking-mode> because I thought It was necessary to
> handle the SSL on TC, anyways I'll change It to COOKIE and see what happens.
> Another couple of ideas were to use a Valve for SSL on TC or enable the
> mod_header on Apache, but any idea on how  this would help?
>
> Thanks,
> Joan
>
>
> --
> Joan Morales
>
> El 28/09/2012, a las 17:35, Shanti Suresh <shanti@umich.edu> escribió:
>
> > Hi Joan,
> >
> > What happens when you change the web.xml settings to:
> >
> > ----------web.xml:----
> > <session-config>
> >        <session-timeout>30</session-timeout>
> >         <tracking-mode>COOKIE</tracking-mode>
> >  </session-config>
> >
> > --------------------------
> >
> > Thanks.
> >
> >                  -Shanti
> >
> >
> > On Fri, Sep 28, 2012 at 10:58 AM, Konstantin Kolinko <
> knst.kolinko@gmail.com
> >> wrote:
> >
> >> 2012/9/28 Martin Gainty <mgainty@hotmail.com>:
> >>>
> >>> that is NOT what the op asked for
> >>>
> >>> if the OP is implementing ssl via her FE Apache then she needs to
> >> implement and config mod-ssl on that FE apache server
> >>>
> >>> You need to Understand what the op environment is before criticising
> the
> >> solution
> >>> Martin
> >>
> >> The OP asked about JSESSIONID cookie (as said in $Subject) and getting
> >> rid of it.  It is not about configuring mod_ssl.
> >>
> >>
> >>
> http://en.wikipedia.org/wiki/Posting_style#Choosing_the_proper_posting_style
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message