tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Session being dropped in Virtual Host in 8.0.9
Date Tue, 03 Feb 2015 12:52:08 GMT
2015-02-03 14:04 GMT+03:00 Rory Kelly <rory.kelly@fernsoftware.com>:
> Hi Chris,
>
> Sorry for the late reply, I wound up working from home yesterday, and access
> to the server was less than ideal
> I'm just gonna dump the Headers from the login get, through to when it dumps
> me back out at the login.
>

> #response
> HTTP/1.1 302 Found
> Cache-Control: no-cache, no-store, must-revalidate, max-age=0
> Connection: keep-alive
> Content-Length: 0
> Content-Type: text/html;charset=utf-8
> Date: Tue, 03 Feb 2015 10:50:03 GMT
> Location: http://redacted.site.io/login

1) Does the above Location header names the same web site? If you are
redirected to a different site, the browser will use a different set
of cookies for it (as you Set-Cookie headers do not set domain for the
cookie, and thus it is limited to a single site).

> Server: nginx/1.6.2 (Ubuntu)
> Set-Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; path=/;
> expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly

2) Is "ib" you session cookie?  Is it created by Tomcat (just with a
different cookie name), or by something else?

3) Generally I would expect a cookie change when a FORM challenge is issued,
but the Set-Cookie header has the same cookie value as before. Thus my
guess of a different site name.

(CVE-2013-2067)
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.33


4) Is the time value correct? Is client's clock correct?
Comparing the Date header in the response and the cookie, it is valid
for 5 minutes only.

If client's clock is wrong, it may expire the cookie earlier than in 5 minutes.

> X-XSS-Protection: 1; mode=block
> x-content-type-options: nosniff
> x-frame-options: SAMEORIGIN
>
> ##Redirect
> GET /login HTTP/1.1redacted.site.io
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
> Firefox/35.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Referer: http://boyle.fern.io/login/challenge

5) Leaking a site name....

> Cookie: ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3
> Connection: keep-alive


Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message