tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pottinger, Hardy J." <Pottinge...@missouri.edu>
Subject RE: seeking help with stabilizing the persistence of a JSESSIONID
Date Thu, 03 Sep 2015 16:52:07 GMT
Hi, I'm trying to disable session-fixation-attack protection on our test server, and I've added
the following valve to both my application's context-fragment file, as well as the main context.xml
file:

 <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="false"
alwaysUseSession="true"/>

However, after several Tomcat restarts, I can still see the session cookie change after authentication.

I'm wondering if perhaps the problem is that this isn't Tomcat authentication, but HTTPD authentication,
via the Shibboleth module on Apache.

--Hardy

________________________________________
From: Pottinger, Hardy J.
Sent: Thursday, September 03, 2015 11:13 AM
To: Tomcat Users List
Subject: RE: seeking help with stabilizing the persistence of a JSESSIONID

Hi, Chris, thanks for the quick reply! Right now I'm just grasping at straws. If I can prove
the JSESSIONID remains the same, and the previous URL is still lost, I'll have definitive
proof that the application code is somehow at fault. Right now I have this gray area where
it looks (to application devs like me) that Tomcat is losing the session. Can you help me
bounce this hot potato back to my fellow devs? :-) Thanks!

--HarDy
________________________________________
From: Christopher Schultz [chris@christopherschultz.net]
Sent: Thursday, September 03, 2015 10:45 AM
To: Tomcat Users List
Subject: Re: seeking help with stabilizing the persistence of a JSESSIONID

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Harry,

On 9/3/15 11:12 AM, Pottinger, Hardy J. wrote:
> Hi, I'm a committer for DSpace [1] (a Java servlet) and I'm working
> on a bug [2]. This bug presents with the following symptoms:
>
> 1) user searches site, finds an item of interest, attempts to
> access the item, but is not currently logged in, so is presented
> with a "please enter password" challenge; 2) user chooses to
> authenticate via Shibboleth and is passed on to a Shibboleth IdP
> for authentication 3) user authenticates successfully 4) user is
> returned to the home page of the site, instead of the item
> previously requested
>
> DSpace stores the previously-visited URL in the session. I can see
> the JSESSIONID cookie at step 1 above. At step 4, the JSESSIONID
> is new. In other words, the previous session (with the previous
> URL information) is discarded.

Are you sure that the stored URL has been discarded, or has only the
session identifier changed? Tomcat changes session ids after
successful authentication to prevent session-fixation attacks.

> I suspect that there is some setting for Tomcat7 I'm missing, Is
> there some way to tell Tomcat to allow these sessions to persist
> during the roundtrip to the Shibboleth IdP and back?

You *can* disable session-id changes, but then you lose a layer of
security. Are you sure you need to disable this protection?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6GsDAAoJEBzwKT+lPKRYu/UP/37iORrfWKKM8afe2XaBJ6Rx
dWz2/hHW+dfbtWDMPI/cgPrO+EjcDahjT/9Sc908lpMaj8tD7PV9a/vC0TtDqS25
fr9f4BoU1QxwdJ5WAQ/QTTTQ44YzBBqwIFV/dlvLEAoT7GgT9/C2ieGqYrZ0WyMj
FblX/uh/DYw93rt41fLuzp2+Tl8wRvNtGO+E0v0+W7kzcoTdzmkyXWFXlYo6BVJW
qXjZWYkw7JiKCuXn4XZUmffqFApOJtQvU2g+G2bMvaGnGLB1jcUBBzxVFSJ9bwfJ
Rmvc7vt/4ED1FtnMQtjGUknkZ0MBrq6si7T86Mt2fI3huGHqN12K6UsZVtAzk8Z8
5QFA+5V5X19izvyJizRGZgLODdpA4g9VGP+EUBUG4yOmJXA0bnfcD8hcS+tO285c
2kumpTxgfKSsWjU5wIvFR7HfcY8w9XQxa774CoDsFlJPp95MWL6pH9+NUMyq+9I8
OKEYls3N5hjDnpliSqr11UGnEUNzfafugP4TIQOPnSnPHPkNsfRJ6Ng05KzvJd7j
pV+0OFOxIcMfoVCNT/uPH88979o9WGWNv2fgky+mVc1DpSR1Dprxj5kYO5sJJdwC
pxfTC5jD+OdjSBlcIzKyqKN5XL7umlL5v8DBXY3Ts/faWiyNhXLOolgx5s5xolgW
cS3gtWkxRr/gGqYugTib
=E2yQ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message