Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 12790 invoked from network); 5 Nov 2001 10:22:24 -0000 Received: from unknown (HELO osaka.betaversion.org) (192.18.49.133) by daedalus.apache.org with SMTP; 5 Nov 2001 10:22:24 -0000 Received: (qmail 14474 invoked from network); 5 Nov 2001 10:24:57 -0000 Received: from nagoya.betaversion.org (192.18.49.131) by osaka.betaversion.org with SMTP; 5 Nov 2001 10:24:57 -0000 Received: (qmail 22413 invoked by uid 97); 5 Nov 2001 10:22:24 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 22397 invoked by uid 97); 5 Nov 2001 10:22:23 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 22386 invoked from network); 5 Nov 2001 10:22:23 -0000 Message-ID: From: GOMEZ Henri To: Tomcat Developers List Subject: RE: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/module s/session SessionId.java Date: Mon, 5 Nov 2001 11:22:21 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Excellent idea +1 but could we have it enabled in server.xml ? - Henri Gomez ___[_]____ EMAIL : hgomez@slib.fr (. .) PGP KEY : 697ECEDD ...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 >-----Original Message----- >From: bojan@apache.org [mailto:bojan@apache.org] >Sent: Monday, November 05, 2001 7:34 AM >To: jakarta-tomcat-cvs@apache.org >Subject: cvs commit: >jakarta-tomcat/src/share/org/apache/tomcat/modules/session >SessionId.java > > >bojan 01/11/04 22:34:09 > > Modified: src/share/org/apache/tomcat/modules/session >SessionId.java > Log: > Verify SSL Session ID against Tomcat session.\nDisables >Tomcat session stealing over SSL.\n\nSince nobody complained >about the concept, I took the liberty to do it... Scream if >against the rules. > > Revision Changes Path > 1.15 +25 -0 >jakarta-tomcat/src/share/org/apache/tomcat/modules/session/Sess >ionId.java > > Index: SessionId.java > =================================================================== > RCS file: >/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/se >ssion/SessionId.java,v > retrieving revision 1.14 > retrieving revision 1.15 > diff -u -r1.14 -r1.15 > --- SessionId.java 2001/09/01 00:53:43 1.14 > +++ SessionId.java 2001/11/05 06:34:09 1.15 > @@ -235,6 +235,31 @@ > if( sess!=null ) break; > } > > + /* The following block of code verifies if Tomcat >session matches > + SSL session (if one was ever passed to Tomcat). >Just in case > + somebody is trying to steal Tomcat sessions over SSL. > + We can't verify that if SSL is not used. */ > + > + if(sess != null && request.isSecure() ){ // Request >is over SSL > + // SSL session ID from session and request - they >have to be equal! > + String >ids=(String)sess.getAttribute("javax.servlet.request.ssl_session"), > + >idr=(String)request.getAttribute("javax.servlet.request.ssl_session"); > + > + if(debug>0) cm.log("Request SSL ID="+idr+", >Session SSL ID="+ids); > + > + if(idr != null){ // Only do this if there is an >SSL session ID > + if(ids != null){ // Do we have a stored SSL >session ID from before? > + if(!ids.equals(idr)){ // Is someone cheating? > + sess=null; // No sessions for thugs > + cm.log("SECURITY WARNING: SSL session "+idr+ > + " doesn't match Tomcat session >"+sessionId+"!"); > + } > + } else { // First time, save the SSL session ID > + >sess.setAttribute("javax.servlet.request.ssl_session",idr); > + } > + } > + } > + > if (sess != null) { > request.setRequestedSessionId( sessionId ); > request.setSessionIdSource( source ); > > > > >-- >To unsubscribe, e-mail: For additional commands, e-mail: -- To unsubscribe, e-mail: For additional commands, e-mail: