Return-Path: 
 <users-return-203052-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 44404 invoked from network); 13 Oct 2009 11:01:55 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 13 Oct 2009 11:01:55 -0000
Received: (qmail 238 invoked by uid 500); 13 Oct 2009 11:01:51 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 118 invoked by uid 500); 13 Oct 2009 11:01:51 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 107 invoked by uid 99); 13 Oct 2009 11:01:51 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Oct 2009 11:01:51 +0000
X-ASF-Spam-Status: No, hits=-1.6 required=5.0
	tests=AWL,BAYES_00
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [81.201.219.194] (HELO misc1.headweb.com) (81.201.219.194)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Oct 2009 11:01:48 +0000
Received: from localhost (localhost [127.0.0.1])
	by misc1.headweb.com (Postfix) with ESMTP id 13DAB8FC063;
	Tue, 13 Oct 2009 13:01:26 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=headweb.com; h=
	x-mailer:references:date:date:subject:subject:mime-version
	:content-transfer-encoding:content-type:content-type:in-reply-to
	:from:from:message-id:received:received; s=aug08; t=1255431683;
	 bh=WztlL+eopJr3ioG/19xzNlEUHk3J1RJhhsDwWRzZIio=; b=AEVdFIydSkFG
	FHpBjIs1cJ8FSkxSJ1CIYfDPxI7CCMgMJ9ErCHDz/rkGIJyP+mGcKQqAfKhD8/O+
	mVgMKzR8yQ==
X-Virus-Scanned: amavisd-new at headweb.com
X-Spam-Score: -4.286
X-Spam-Level: 
Received: from misc1.headweb.com ([127.0.0.1])
	by localhost (misc1.headweb.com [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id Hbm0I1Cvqaw9; Tue, 13 Oct 2009 13:01:23 +0200 (CEST)
Received: from johan-mb.vpn.stromnet.se
 (c-17fd70d5.016-325-67626721.cust.bredbandsbolaget.se [213.112.253.23])
	by misc1.headweb.com (Postfix) with ESMTPSA id 534828FC05F;
	Tue, 13 Oct 2009 13:01:23 +0200 (CEST)
Cc: Mark Thomas <markt@apache.org>
Message-Id: <D2EA732A-F08F-485E-863A-5841C19F8ECA@headweb.com>
From: =?ISO-8859-1?Q?Johan_Str=F6m?= <johan@headweb.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
In-Reply-To: <4AD43A80.4020609@apache.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v936)
Subject: Re: PATCH: Session ID from URL; would like some input!
Date: Tue, 13 Oct 2009 13:01:22 +0200
References: <3D3C9FFA-0584-465A-A866-B1894B854191@headweb.com>
 <4AD43A80.4020609@apache.org>
X-Mailer: Apple Mail (2.936)
X-Old-Spam-Flag: NO
X-Old-Spam-Status: No, score=-4.286 tagged_above=-999 required=4
	tests=[ALL_TRUSTED=-1.8, AWL=0.113, BAYES_00=-2.599] autolearn=ham

Hi Mark,
thanks for your response!

On Oct 13, 2009, at 10:29 , Mark Thomas wrote:

> Johan Str=F6m wrote:
>> Hello list!
>> First of all, this maybe better suited for the dev list, but a quick
>> peek only showed svn log mails etc soo.. Sending here instead, let me
>> know if its wrong!
>
> It is 50/50. The patch is of more interest to the dev list but if the
> patch is rejected then the users list is the best place to get ideas
> about other ways of doing things. The mailing lists block most patches
> so an enhancement request in Bugzilla is the best place for your =20
> patch.


I see, it's available here if you'd like to take a quick look:

https://dev.headweb.com/johan/pub/Request.java.patch


>
> Without seeing the patch it is hard to comment but SRV.7.1 makes it
> clear that cookies override URL parameters. It doesn't make a =20
> comment on
> what if the cookie session is invalid and the URL one not. There might
> be some scope for flexibility here.

Correct, cookies override URL parameter, but as you said, not when the =20=

session in cookie is invalid. I guess one could make it configurable =20
but I have no idea how that would be done, haven't dug that deep into =20=

the tomcat source :)

>
>> We're having a problem related to Tomcat, in a pretty unusual =20
>> scenario.
>> Basicly the problem is with old expired sessions, and reading =20
>> session ID
>> from URL instead of cookie.
>> An example, in our case browser A is a main browser, and browser B =20=

>> is a
>> slave "browser" (actually only a webkit rendering engine) which we =20=

>> only
>> call with an URL to show a specific page, and we do not have control
>> over cookies in browser B.
>
> Any way to "close" "browser B"? That should delete the session cookie.

Unfortunately not, so not a solution.

>
>> So, browser B sends both the old session ID in the cookie (which is =20=

>> an
>> expired session), and the new sessionid on the URL. This confuses =20
>> tomcat.
>> In catalina/connector/Request.java and CoyoteAdaptor, we first =20
>> check for
>> a sessino ID on the URL, store it in Request, and then we check =20
>> for  a
>> cookie, and if we got one, we just overwrite the session ID from =20
>> the URL.
>>
>> My solution? The attached patch!
>> Now, what I'd like to know, can anyone of you developers see any =20
>> nasty
>> side effects that I might have missed about this?
>
> In principle, it sounds OK but I'd want to see the patch first. If it
> were implemented, then it would go into Tomcat 7 and may not be
> back-ported to earlier versions. It may also be made optional.

See URL above.

>
> Keep in mind that session handling is more configurable in the Servlet
> 3.0 spec (not that I think it helps with this issue) and that changing
> the session ID on authentication to protect against session fixation =20=

> is
> an open enhancement request that should also get included in Tomcat 7.

Me changing the session ID is not what I'm doing, its rather that the =20=

old session ID has timed out, and browser A is assigned a new session =20=

which i need to tell browser B to use too.

>
>> One thing that was concerned about was that it would introduce =20
>> session
>> hijacking risks, but the only difference is that the evildoer have to
>> erase his (already expired) cookie.. Normal tomcat accepts =20
>> jsessionid on
>> URL anyway, as long as there is no cookie, so that should not be a
>> security concern.
>
> Agreed.

Great :)

Johan


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org