Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7048ED157 for ; Fri, 28 Sep 2012 16:38:27 +0000 (UTC) Received: (qmail 32545 invoked by uid 500); 28 Sep 2012 16:38:24 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 32478 invoked by uid 500); 28 Sep 2012 16:38:23 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 32468 invoked by uid 99); 28 Sep 2012 16:38:23 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Sep 2012 16:38:23 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [209.85.214.173] (HELO mail-ob0-f173.google.com) (209.85.214.173) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Sep 2012 16:38:18 +0000 Received: by obbwc18 with SMTP id wc18so1407400obb.18 for ; Fri, 28 Sep 2012 09:37:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=mf5duSX3DtxfLM3RykwSa8yUIJEBe/qjVIet//+rzq8=; b=Z2JZtN5ROn23Gt2+tOgjtHP+FBkNEq9BVpHjAJB0vPTvpZrZMLfXWTIp5GLSXAB7Oh BQW+SmOvZleTbobiBurdxO87DvCwsXfn5+b4yKb7uB2IpejdUBQZyaQARjdRi7BB2yZd YHl9NC1+xBOM6oorCadDEzNJrHRd4nPPTWlKNGMJ/OqVHtit3b1PbGv3r8zPl1akHMsH Uqq5AbWb4oBr1CU3fZCJZrZ/ExwSoU6/EqiHpLxNgfdIzIMkU2UonlUbxrK7HSO1YZrT D6g9hwyI/xtK8hEuZmnZVYepd6jYSavjU+KbXsgdO1Jj5EhTJTDw30fzFiPPIvHqsKW+ XFPg== MIME-Version: 1.0 Received: by 10.60.27.229 with SMTP id w5mr6102641oeg.125.1348850277317; Fri, 28 Sep 2012 09:37:57 -0700 (PDT) Received: by 10.76.167.3 with HTTP; Fri, 28 Sep 2012 09:37:57 -0700 (PDT) In-Reply-To: <8F12F60B-1EF5-499D-83B3-C1A5703CEADA@gmail.com> References:

<8F12F60B-1EF5-499D-83B3-C1A5703CEADA@gmail.com> Date: Fri, 28 Sep 2012 12:37:57 -0400 Message-ID: Subject: Re: Security issue regarding JSESSIONID cookie From: Shanti Suresh To: Tomcat Users List Content-Type: multipart/alternative; boundary=e89a8fb1ea5ca27ccd04cac5adbf X-Gm-Message-State: ALoCoQlmy6cK5dFHkvKQH07hjamtAMhtHpLI2d+v4UvJI/x+hL058pwFW9oFsZkAO6cdvCcHDVBO X-Virus-Checked: Checked by ClamAV on apache.org --e89a8fb1ea5ca27ccd04cac5adbf Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Joan, "cookie", from my understanding, uses the SSL session-ID as the cookie-value in the Tomcat container. This value will be different from what Apache assigns on the front-end SSL connection to the browser (as Konstantin pointed out). With tracking-mode COOKIE, I believe, a JSESSIONID cookie is created and used. If the "cookie" setting does the trick, then a more secure configuration may be: ----a better web.xml:-----

true

---------------- The above configuration makes sure that a cookie is set only on an HTTPS connection coming into Tomcat. And in general, an even better one would be: ---------- web.xml:------

true

---------------------------------- What the above configuration does is that it prevents any malicious client-side code from accessing the cookie and thereby misusing it against your service.. Thanks. -Shanti On Fri, Sep 28, 2012 at 11:51 AM, Joan Morales wrote: > I put the > SSL because I thought It was necessary to > handle the SSL on TC, anyways I'll change It to COOKIE and see what happe= ns. > Another couple of ideas were to use a Valve for SSL on TC or enable the > mod_header on Apache, but any idea on how this would help? > > Thanks, > Joan > > > -- > Joan Morales > > El 28/09/2012, a las 17:35, Shanti Suresh escribi=F3: > > > Hi Joan, > > > > What happens when you change the web.xml settings to: > > > > ----------web.xml:---- > > > > 30 > > COOKIE > > > > > > -------------------------- > > > > Thanks. > > > > -Shanti > > > > > > On Fri, Sep 28, 2012 at 10:58 AM, Konstantin Kolinko < > knst.kolinko@gmail.com > >> wrote: > > > >> 2012/9/28 Martin Gainty : > >>> > >>> that is NOT what the op asked for > >>> > >>> if the OP is implementing ssl via her FE Apache then she needs to > >> implement and config mod-ssl on that FE apache server > >>> > >>> You need to Understand what the op environment is before criticising > the > >> solution > >>> Martin > >> > >> The OP asked about JSESSIONID cookie (as said in $Subject) and getting > >> rid of it. It is not about configuring mod_ssl. > >> > >> > >> > http://en.wikipedia.org/wiki/Posting_style#Choosing_the_proper_posting_st= yle > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > >> For additional commands, e-mail: users-help@tomcat.apache.org > >> > >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --e89a8fb1ea5ca27ccd04cac5adbf--