tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rory Kelly <rory.ke...@fernsoftware.com>
Subject RE: Session being dropped in Virtual Host in 8.0.9
Date Tue, 03 Feb 2015 15:02:31 GMT
Hi Konstantin,

>1) Does the above Location header names the same web site? If you are
>redirected to a different site, the browser will use a different set of
>cookies for it (as you >Set-Cookie headers do not set domain for the
>cookie, and thus it is limited to a single site).

Yeah, it's all contained in a single site, on a single WAR, for now.

>> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836;
>> path=/; expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly

>2) Is "ib" you session cookie?  Is it created by Tomcat (just with a
>different cookie name), or by something else?

"ib" is getting set by Rack. I've tried the same WAR on my Windows machine,
and it works fine. The only difference between the two instances is the
environment (Single Host Tomcat 8.0.9 on Windows from Apache's website vs. a
Virtual Host Tomcat 8.0.9 on  Ubuntu installed through apt-get.

>(CVE-2013-2067)
>http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.33

Hmm, from this, I'm assuming my cookie should be changing for each POST
request. That doesn't seem to be happening on either environment. Could this
be my issue?

>> Referer: http://trythatagain.redacted.io/login/challenge
>5) Leaking a site name....

Bah. The copy-replace apparently ignores chunks of text. Wonderful.

(Should I be removing the original message from my replies, to avoid
cluttering?)
Kind Regards,
Rory

-----Original Message-----
From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
Sent: 03 February 2015 12:52
To: Tomcat Users List
Subject: Re: Session being dropped in Virtual Host in 8.0.9

2015-02-03 14:04 GMT+03:00 Rory Kelly <rory.kelly@fernsoftware.com>:
> Hi Chris,
>
> Sorry for the late reply, I wound up working from home yesterday, and
> access to the server was less than ideal I'm just gonna dump the
> Headers from the login get, through to when it dumps me back out at
> the login.
>

> #response
> HTTP/1.1 302 Found
> Cache-Control: no-cache, no-store, must-revalidate, max-age=0
> Connection: keep-alive
> Content-Length: 0
> Content-Type: text/html;charset=utf-8
> Date: Tue, 03 Feb 2015 10:50:03 GMT
> Location: http://redacted.site.io/login

1) Does the above Location header names the same web site? If you are
redirected to a different site, the browser will use a different set of
cookies for it (as you Set-Cookie headers do not set domain for the cookie,
and thus it is limited to a single site).

> Server: nginx/1.6.2 (Ubuntu)
> Set-Cookie:
> ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836;
> path=/; expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly

2) Is "ib" you session cookie?  Is it created by Tomcat (just with a
different cookie name), or by something else?

3) Generally I would expect a cookie change when a FORM challenge is issued,
but the Set-Cookie header has the same cookie value as before. Thus my guess
of a different site name.



4) Is the time value correct? Is client's clock correct?
Comparing the Date header in the response and the cookie, it is valid for 5
minutes only.

If client's clock is wrong, it may expire the cookie earlier than in 5
minutes.

5) Leaking a site name....

> Cookie:
> ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3
> Connection: keep-alive


Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message