Author: markt
Date: Fri Dec 11 17:30:59 2009
New Revision: 889716
URL: http://svn.apache.org/viewvc?rev=889716&view=rev
Log:
Address session fixation by changing the session ID on authentication. This is
enabled by default. This should be safe since this also happens when sessions
migrate between nodes in a cluster. If an app can't handle a changing ID, then
the feature can be disabled in the authenticator.
Modified:
tomcat/trunk/java/org/apache/catalina/Manager.java
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/trunk/java/org/apache/catalina/connector/Request.java
tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
tomcat/trunk/webapps/docs/config/valve.xml
Modified: tomcat/trunk/java/org/apache/catalina/Manager.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Manager.java?rev=889716&r1=889715&r2=889716&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/Manager.java (original)
+++ tomcat/trunk/java/org/apache/catalina/Manager.java Fri Dec 11 17:30:59 2009
@@ -260,6 +260,15 @@
/**
+ * Change the session ID of the current session to a new randomly generated
+ * session ID.
+ *
+ * @param session The session to change the session ID for
+ */
+ public void changeSessionId(Session session);
+
+
+ /**
* Get a session from the recycled ones or create a new empty one.
* The PersistentManager manager does not need to create session data
* because it reads it from the Store.
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=889716&r1=889715&r2=889716&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Fri Dec 11 17:30:59 2009
@@ -38,6 +38,7 @@
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener;
+import org.apache.catalina.Manager;
import org.apache.catalina.Pipeline;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
@@ -123,6 +124,12 @@
/**
+ * Should the session ID, if any, be changed upon a successful
+ * authentication to prevent a session fixation attack?
+ */
+ protected boolean changeSessionIdOnAuthentication = true;
+
+ /**
* The Context to which this Valve is attached.
*/
protected Context context = null;
@@ -513,6 +520,7 @@
*/
return;
}
+
}
if (log.isDebugEnabled()) {
@@ -726,6 +734,13 @@
request.setUserPrincipal(principal);
Session session = request.getSessionInternal(false);
+
+ if (session != null && changeSessionIdOnAuthentication) {
+ Manager manager = request.getContext().getManager();
+ manager.changeSessionId(session);
+ request.changeSessionId(session.getId());
+ }
+
// Cache the authentication information in our session, if any
if (cache) {
if (session != null) {
Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=889716&r1=889715&r2=889716&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Fri Dec 11
17:30:59 2009
@@ -2252,6 +2252,40 @@
/**
+ * Change the ID of the session that this request is associated with. There
+ * are several things that may trigger an ID change. These include mmoving
+ * between nodes in a cluster and session fixation prevention during the
+ * authentication process.
+ *
+ * @param session The session to change the session ID for
+ */
+ public void changeSessionId(String newSessionId) {
+ // This should only ever be called if there was an old session ID but
+ // double check to be sure
+ if (requestedSessionId != null && requestedSessionId.length() > 0) {
+ requestedSessionId = newSessionId;
+ }
+
+ if (context != null && !context.getServletContext()
+ .getEffectiveSessionTrackingModes().contains(
+ SessionTrackingMode.COOKIE))
+ return;
+
+ if (response != null) {
+ Cookie newCookie =
+ ApplicationSessionCookieConfig.createSessionCookie(
+ context.getServletContext().getSessionCookieConfig(),
+ newSessionId,
+ secure,
+ context.getUseHttpOnly(),
+ response.getConnector().getEmptySessionPath(),
+ context.getEncodedPath());
+ response.addCookie(newCookie);
+ }
+ }
+
+
+ /**
* Return the session associated with this Request, creating one
* if necessary and requested.
*
@@ -2370,7 +2404,7 @@
throw new ServletException(
sm.getString("coyoteRequest.authFail", username));
}
- // Assume if we have a non-null LogonConfig then we must have an
+ // Assume if we have a non-null LoginConfig then we must have an
// authenticator
context.getAuthenticator().register(this, getResponse(), principal,
authMethod, username, password);
Modified:
tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java?rev=889716&r1=889715&r2=889716&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
Fri Dec 11 17:30:59 2009
@@ -410,9 +410,8 @@
* new session id for node migration
*/
protected void changeRequestSessionID(Request request, Response response,
String sessionId, String newSessionID) {
- request.setRequestedSessionId(newSessionID);
- if(request.isRequestedSessionIdFromCookie())
- setNewSessionCookie(request, response,newSessionID);
+ request.changeSessionId(newSessionID);
+
// set original sessionid at request, to allow application detect the
// change
if (sessionIdAttribute != null && !"".equals(sessionIdAttribute)) {
@@ -454,6 +453,8 @@
* @param request current request
* @param response Tomcat Response
* @param sessionId The session id
+ *
+ * @deprecated Use {...@link Request#changeSessionId(String)}
*/
protected void setNewSessionCookie(Request request,
Response response, String sessionId) {
Modified: tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=889716&r1=889715&r2=889716&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java Fri Dec 11
17:30:59 2009
@@ -922,6 +922,17 @@
}
+ /**
+ * Change the session ID of the current session to a new randomly generated
+ * session ID.
+ *
+ * @param session The session to change the session ID for
+ */
+ public void changeSessionId(Session session) {
+ session.setId(generateSessionId());
+ }
+
+
// ------------------------------------------------------ Protected Methods
Modified: tomcat/trunk/webapps/docs/config/valve.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/valve.xml?rev=889716&r1=889715&r2=889716&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/trunk/webapps/docs/config/valve.xml Fri Dec 11 17:30:59 2009
@@ -395,6 +395,13 @@
<strong>org.apache.catalina.authenticator.BasicAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session
fixation
+ attacks. If not set, the default value of <code>true</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="disableProxyCaching" required="false">
<p>Controls the caching of pages that are protected by security
constraints. Setting this to <code>false</code> may help work around
@@ -447,6 +454,13 @@
<strong>org.apache.catalina.authenticator.DigestAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session
fixation
+ attacks. If not set, the default value of <code>true</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="disableProxyCaching" required="false">
<p>Controls the caching of pages that are protected by security
constraints. Setting this to <code>false</code> may help work around
@@ -499,6 +513,13 @@
<strong>org.apache.catalina.authenticator.FormAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session
fixation
+ attacks. If not set, the default value of <code>true</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="characterEncoding" required="false">
<p>Character encoding to use to read the username and password
parameters
from the request. If not set, the encoding of the request body will be
@@ -557,6 +578,13 @@
<strong>org.apache.catalina.authenticator.SSLAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session
fixation
+ attacks. If not set, the default value of <code>true</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="disableProxyCaching" required="false">
<p>Controls the caching of pages that are protected by security
constraints. Setting this to <code>false</code> may help work around
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
