Author: markt
Date: Fri Dec 11 17:30:59 2009
New Revision: 889716

URL: http://svn.apache.org/viewvc?rev=889716&view=rev
Log:
Address session fixation by changing the session ID on authentication. This is 
enabled by default. This should be safe since this also happens when sessions 
migrate between nodes in a cluster. If an app can't handle a changing ID, then 
the feature can be disabled in the authenticator.  

Modified:
    tomcat/trunk/java/org/apache/catalina/Manager.java
    tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
    tomcat/trunk/java/org/apache/catalina/connector/Request.java
    tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
    tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
    tomcat/trunk/webapps/docs/config/valve.xml

Modified: tomcat/trunk/java/org/apache/catalina/Manager.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Manager.java?rev=889716&r1=889715&r2=889716&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/Manager.java (original)
+++ tomcat/trunk/java/org/apache/catalina/Manager.java Fri Dec 11 17:30:59 2009
@@ -260,6 +260,15 @@
 
 
     /**
+     * Change the session ID of the current session to a new randomly generated
+     * session ID.
+     * 
+     * @param session   The session to change the session ID for
+     */
+    public void changeSessionId(Session session);
+    
+    
+    /**
      * Get a session from the recycled ones or create a new empty one.
      * The PersistentManager manager does not need to create session data
      * because it reads it from the Store.

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=889716&r1=889715&r2=889716&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java 
Fri Dec 11 17:30:59 2009
@@ -38,6 +38,7 @@
 import org.apache.catalina.Lifecycle;
 import org.apache.catalina.LifecycleException;
 import org.apache.catalina.LifecycleListener;
+import org.apache.catalina.Manager;
 import org.apache.catalina.Pipeline;
 import org.apache.catalina.Realm;
 import org.apache.catalina.Session;
@@ -123,6 +124,12 @@
 
 
     /**
+     * Should the session ID, if any, be changed upon a successful
+     * authentication to prevent a session fixation attack?
+     */
+    protected boolean changeSessionIdOnAuthentication = true;
+    
+    /**
      * The Context to which this Valve is attached.
      */
     protected Context context = null;
@@ -513,6 +520,7 @@
                  */
                 return;
             } 
+            
         }
     
         if (log.isDebugEnabled()) {
@@ -726,6 +734,13 @@
         request.setUserPrincipal(principal);
 
         Session session = request.getSessionInternal(false);
+        
+        if (session != null && changeSessionIdOnAuthentication) {
+            Manager manager = request.getContext().getManager();
+            manager.changeSessionId(session);
+            request.changeSessionId(session.getId());
+        }
+
         // Cache the authentication information in our session, if any
         if (cache) {
             if (session != null) {

Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=889716&r1=889715&r2=889716&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Fri Dec 11 
17:30:59 2009
@@ -2252,6 +2252,40 @@
 
 
     /**
+     * Change the ID of the session that this request is associated with. There
+     * are several things that may trigger an ID change. These include mmoving
+     * between nodes in a cluster and session fixation prevention during the
+     * authentication process.
+     * 
+     * @param session   The session to change the session ID for
+     */
+    public void changeSessionId(String newSessionId) {
+        // This should only ever be called if there was an old session ID but
+        // double check to be sure
+        if (requestedSessionId != null && requestedSessionId.length() > 0) {
+            requestedSessionId = newSessionId;
+        }
+        
+        if (context != null && !context.getServletContext()
+                .getEffectiveSessionTrackingModes().contains(
+                        SessionTrackingMode.COOKIE))
+            return;
+        
+        if (response != null) {
+            Cookie newCookie =
+                ApplicationSessionCookieConfig.createSessionCookie(
+                        context.getServletContext().getSessionCookieConfig(),
+                        newSessionId,
+                        secure,
+                        context.getUseHttpOnly(),
+                        response.getConnector().getEmptySessionPath(),
+                        context.getEncodedPath());
+            response.addCookie(newCookie);
+        }
+    }
+
+    
+    /**
      * Return the session associated with this Request, creating one
      * if necessary and requested.
      *
@@ -2370,7 +2404,7 @@
                 throw new ServletException(
                         sm.getString("coyoteRequest.authFail", username));
             }
-            // Assume if we have a non-null LogonConfig then we must have an
+            // Assume if we have a non-null LoginConfig then we must have an
             // authenticator
             context.getAuthenticator().register(this, getResponse(), principal,
                     authMethod, username, password);

Modified: 
tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java?rev=889716&r1=889715&r2=889716&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java 
Fri Dec 11 17:30:59 2009
@@ -410,9 +410,8 @@
      *            new session id for node migration
      */
     protected void changeRequestSessionID(Request request, Response response, 
String sessionId, String newSessionID) {
-        request.setRequestedSessionId(newSessionID);
-        if(request.isRequestedSessionIdFromCookie())
-            setNewSessionCookie(request, response,newSessionID);
+        request.changeSessionId(newSessionID);
+
         // set original sessionid at request, to allow application detect the
         // change
         if (sessionIdAttribute != null && !"".equals(sessionIdAttribute)) {
@@ -454,6 +453,8 @@
      * @param request current request
      * @param response Tomcat Response
      * @param sessionId The session id
+     * 
+     * @deprecated Use {...@link Request#changeSessionId(String)}
      */
     protected void setNewSessionCookie(Request request,
                                        Response response, String sessionId) {

Modified: tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=889716&r1=889715&r2=889716&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java Fri Dec 11 
17:30:59 2009
@@ -922,6 +922,17 @@
     }
 
 
+    /**
+     * Change the session ID of the current session to a new randomly generated
+     * session ID.
+     * 
+     * @param session   The session to change the session ID for
+     */
+    public void changeSessionId(Session session) {
+        session.setId(generateSessionId());
+    }
+    
+    
     // ------------------------------------------------------ Protected Methods
 
 

Modified: tomcat/trunk/webapps/docs/config/valve.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/valve.xml?rev=889716&r1=889715&r2=889716&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/trunk/webapps/docs/config/valve.xml Fri Dec 11 17:30:59 2009
@@ -395,6 +395,13 @@
         
<strong>org.apache.catalina.authenticator.BasicAuthenticator</strong>.</p>
       </attribute>
 
+      <attribute name="changeSessionIdOnAuthentication" required="false">
+        <p>Controls if the session ID is changed if a session exists at the
+        point where users are authenticated. This is to prevent session 
fixation
+        attacks. If not set, the default value of <code>true</code> will be
+        used.</p>
+      </attribute>
+
       <attribute name="disableProxyCaching" required="false">
         <p>Controls the caching of pages that are protected by security
         constraints. Setting this to <code>false</code> may help work around
@@ -447,6 +454,13 @@
         
<strong>org.apache.catalina.authenticator.DigestAuthenticator</strong>.</p>
       </attribute>
 
+      <attribute name="changeSessionIdOnAuthentication" required="false">
+        <p>Controls if the session ID is changed if a session exists at the
+        point where users are authenticated. This is to prevent session 
fixation
+        attacks. If not set, the default value of <code>true</code> will be
+        used.</p>
+      </attribute>
+
       <attribute name="disableProxyCaching" required="false">
         <p>Controls the caching of pages that are protected by security
         constraints. Setting this to <code>false</code> may help work around
@@ -499,6 +513,13 @@
         
<strong>org.apache.catalina.authenticator.FormAuthenticator</strong>.</p>
       </attribute>
 
+      <attribute name="changeSessionIdOnAuthentication" required="false">
+        <p>Controls if the session ID is changed if a session exists at the
+        point where users are authenticated. This is to prevent session 
fixation
+        attacks. If not set, the default value of <code>true</code> will be
+        used.</p>
+      </attribute>
+
       <attribute name="characterEncoding" required="false">
         <p>Character encoding to use to read the username and password 
parameters
         from the request. If not set, the encoding of the request body will be
@@ -557,6 +578,13 @@
         
<strong>org.apache.catalina.authenticator.SSLAuthenticator</strong>.</p>
       </attribute>
 
+      <attribute name="changeSessionIdOnAuthentication" required="false">
+        <p>Controls if the session ID is changed if a session exists at the
+        point where users are authenticated. This is to prevent session 
fixation
+        attacks. If not set, the default value of <code>true</code> will be
+        used.</p>
+      </attribute>
+
       <attribute name="disableProxyCaching" required="false">
         <p>Controls the caching of pages that are protected by security
         constraints. Setting this to <code>false</code> may help work around



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to