https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #19 from jcran <jc...@0x0e.org> 2009-12-09 23:57:11 UTC --- At the risk of sounding like a troll, this is a pretty major security issue. Why is it only now being dealt with? True, it's not going prevent all session fixation, but as Mark Thomas mentioned, it goes a /long/ way, and makes it /much/ more difficult to pull off. You can no longer shoot a simple link to a user, and immediately have access to their session Regardless, it does prevent Session Hijacking - http://en.wikipedia.org/wiki/Session_hijacking - (esp. in applications that don't expire the session on the server). Imagine you visit an application at a public PC, and a session ID is written to the URL. When that page is saved to the browser's cache, the URL is saved with the JSESSIONID parameter. A user could simply browse this cache, looking for valid session ids. Similarly, the session id can be cached in a proxy cache, or be sniffed along the path. Until this is fixed, i'm recommending the following: Prevent SessionID from being written in the URL. There’s not an easy configuration option for this with Tomcat, unfortunately: http://forum.springsource.org/archive/index.php/t-27259.html Ensure a new SessionID is set when the user successfully logs into the application. This will prevent an attack called Session Fixation: http://www.acros.si/papers/session_fixation.pdf Implement relatively quick expiring sessions on the server (30 mins or less) Implement HTTPS w/ secure cookies (to prevent sidejacking - and issue that will persist regardless of session id's in the url) More info here: http://blog.0x0e.org/post/277275694/tomcats-jsessionid-in-the-url -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org