DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2010-08-25 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

Mark Thomas ma...@apache.org changed:

   What|Removed |Added

 CC||thu...@cz.ibm.com

--- Comment #29 from Mark Thomas ma...@apache.org 2010-08-25 15:01:59 EDT ---
*** Bug 40222 has been marked as a duplicate of this bug. ***

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2010-06-04 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

--- Comment #28 from Arvind Srinivasan yoa...@gmail.com 2010-06-04 08:51:33 
EDT ---
Should changing the session id of an existing session object be treated the
same as creating a new session i.e. should the session creation listeners be
triggered?

http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/ManagerBase.java?r1=903083r2=918761
invokes setId() which in turn invokes the session creation listeners in
tellNew().

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2010-03-03 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

Mark Thomas ma...@apache.org changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||FIXED

--- Comment #27 from Mark Thomas ma...@apache.org 2010-03-03 23:12:24 UTC ---
The ability to change the session ID on authentication has been added to 5.5.x
and will be included in 5.5.29 onwards.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-12-30 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

--- Comment #23 from jcran jc...@0x0e.org 2009-12-30 07:36:31 UTC ---
Really pleased to see this integrated. Thank you Mark / Dillon. 

Just to be clear, we're waiting until Tomcat 7 to be able to remove the
JSessionID from the url?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-12-30 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

jcran jc...@0x0e.org changed:

   What|Removed |Added

 CC||jc...@0x0e.org

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-12-30 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

--- Comment #24 from Mark Thomas ma...@apache.org 2009-12-30 07:50:25 GMT ---
(In reply to comment #23)
 Really pleased to see this integrated. Thank you Mark / Dillon. 
 
 Just to be clear, we're waiting until Tomcat 7 to be able to remove the
 JSessionID from the url?

Yes, but Tomcat 5  6 will change the session ID on authentication which
addresses the root cause of the session fixation. With that fixed whether or
not the session ID is in the URL is moot.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-12-30 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

--- Comment #25 from jcran jc...@0x0e.org 2009-12-30 08:14:01 UTC ---
(In reply to comment #24)
 ...
 Yes, but Tomcat 5  6 will change the session ID on authentication which
 addresses the root cause of the session fixation. With that fixed whether or
 not the session ID is in the URL is moot.

So it appears that the session ID in the URL will be encrypted. I had to do
some sniffing / digging myself -
http://answers.google.com/answers/threadview/id/758002.html - but it's still
bad practice, and introduces vulnerability. 

Consider the case of a proxy server, or of your own browser history. If you
take a look, you'll see that jsessionid's are getting cached in the history,
regardless of whether they were handed out after authentication or not. 

That aside, there's no reason that the browser couldn't cache the entire
response, thus making this whole point moot -- it just doesn't out of the box.
Removing the session ID from the URL would prevent browser history caching of a
Session ID.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-12-30 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

--- Comment #26 from Mark Thomas ma...@apache.org 2009-12-30 08:37:02 GMT ---
(In reply to comment #25)
 So it appears that the session ID in the URL will be encrypted. I had to do
 some sniffing / digging myself -
 http://answers.google.com/answers/threadview/id/758002.html - but it's still
 bad practice, and introduces vulnerability. 

This is FUD. There is no vulnerability here.

 Consider the case of a proxy server, or of your own browser history. If you
 take a look, you'll see that jsessionid's are getting cached in the history,
 regardless of whether they were handed out after authentication or not. 
 
 That aside, there's no reason that the browser couldn't cache the entire
 response, thus making this whole point moot -- it just doesn't out of the box.
 Removing the session ID from the URL would prevent browser history caching of 
 a
 Session ID.

More FUD.

The situations you describe are not vulnerabilities. Since Bugzilla is neither
a support forum nor a discussion forum, if you wish to continue this discussion
further, please do so on the users list.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-12-19 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

Mark Thomas ma...@apache.org changed:

   What|Removed |Added

  Component|Catalina|Catalina
Version|unspecified |5.5.28
Product|Tomcat 6|Tomcat 5
   Target Milestone|default |---

--- Comment #22 from Mark Thomas ma...@apache.org 2009-12-19 17:05:23 GMT ---
The patch has been applied to 6.0.x and will be included in 6.0.21 onwards.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-12-11 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

--- Comment #21 from Mark Thomas ma...@apache.org 2009-12-11 09:45:21 GMT ---
I have patched Tomcat 7 to change the session ID on authentication by default.
The same patch has been proposed for 6.0.x and 5.5.x although the default may
be not to change the session ID.

With this patch applied the situation is:
Tomcat 7
- Not vulnerable by default since session ID changes on authentication
- If this default is changed by the user (eg because the application can't
handle a changing session ID) then the risks may be minimised by disabling
session tracking via URL (a new feature in Servlet 3)

Tomcat 5  6
- Can be prevented by enabling changing the session ID on authentication (if
there is insufficient support for this to be enabled by default)
- If the application can't handle a changing session ID then the risks may be
minimised by writing a custom filter that checks
request.isRequestedSessionIdFromURL() and responds accordingly (eg rejecting
the request)

With these changes in place, although there will not be an option to disabled
URL re-writing, I believe that there will be sufficient options to prevent
session fixation which is, after all, the reason behind the request to be able
to disable URL rewriting.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-12-09 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

--- Comment #20 from jcran jc...@0x0e.org 2009-12-09 23:59:01 UTC ---
i should be careful. it doesn't prevent all session hijacking. just certain
use-cases. see comments above. 

jcran

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-11-25 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

Maxim Valyanskiy max.valjan...@gmail.com changed:

   What|Removed |Added

 CC||max.valjan...@gmail.com

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-11-17 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

Andre Schild a.sch...@aarboard.ch changed:

   What|Removed |Added

 CC||a.sch...@aarboard.ch

--- Comment #18 from Andre Schild a.sch...@aarboard.ch 2009-11-17 11:48:35 
UTC ---
A good document describing session fixation can be found here:

http://www.acros.si/papers/session_fixation.pdf

Just disabling the usage of jsessionid= in the URL does not solve the
problem, it just closes one of many open doors.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-09-23 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

--- Comment #16 from Rejeev Divakaran rej...@gmail.com 2009-09-23 09:47:24 
PDT ---
I think we have mis-understood Session fixation. disabling URL re-write will
not solve session fixation. 
Please refer to http://www.owasp.org/index.php/Session_Fixation 
and http://rejeev.blogspot.com/2009/09/session-fixation_08.html 
The correct solution for Session fixation is to create new Session cookie each
time an authentication happens (discard old cookie and send new cookie to
client after authentication).

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-09-23 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

Rejeev Divakaran rej...@gmail.com changed:

   What|Removed |Added

 CC||rej...@gmail.com

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-09-23 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

--- Comment #17 from Mark Thomas ma...@apache.org 2009-09-23 18:20:36 BST ---
Actually, preventing the use of the session ID in the URL goes a long way to
preventing session fixation as it blocks the most easily exploited attack
vectors. There would remain an issue with cookies but that should be limited to
3rd party cookies which may not be an issue for many situations.

You are correct that changing the session ID on authentication will resolve all
session fixation attacks. However, changing the session ID may also cause
application breakage. It may also cause internal breakage for things like
session replication. There would need to be some very careful testing.

Whilst each of these techniques can be achieved by web applications (some more
easily than others), there is clearly some scope for adding options to Tomcat
so the container handles this transparently.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-08-31 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255



--- Comment #15 from Giampaolo Tomassoni giampa...@tomassoni.biz 2009-08-31 
06:10:36 PDT ---
I would urge to put Sellars' patch into the next Tomcat 6 version. It may not
be the final weapon against session fixation (also a cookie-based attack seems
possibile to me), but it is definitely good in fixing plenty of problems with
search engines and ugly URLs...

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-06-29 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255


Kalpesh Patel kalpes...@directi.com changed:

   What|Removed |Added

 CC||kalpes...@directi.com




--- Comment #14 from Kalpesh Patel kalpes...@directi.com  2009-06-29 03:35:12 
PST ---
I think this option will be realy usefull to fight against session fixation
problem. Looking forward to have this patched in tomcat 6.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-05-20 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255


webdev web...@blizzard.com changed:

   What|Removed |Added

 CC||web...@blizzard.com




-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-04-27 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255





--- Comment #12 from Folke B. f...@toxis.com  2009-04-27 09:08:54 PST ---
(In reply to comment #11)
 The Servlet 3.0 spec (ie Tomcat 7 / trunk) includes this as part of the spec.
 Look for javax.servlet.SessionTrackingMode
 
 I think this will do everything you are looking for, although it does mean
 waiting for Tomcat 7.

Sadly, Tomcat 7 may not be an option for many of us for a long time. I had to
fight really hard for the switch to Tomcat 6. Please reconsider applying this
small patch to Tomcat 6 because session fixation is a real threat. 

Though it's reassuring to have Tomcat abide by the rules by default, it
wouldn't hurt to give users more options, even spec breaking options,
especially when it comes to security. I'd rather have Tomcat warn me that the
webapp is deployed into a non-compliant context than putting my client's data
at risk.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-04-27 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255





--- Comment #13 from Dillon Sellars dill.sell...@gmail.com  2009-04-27 
13:36:42 PST ---
At least where I work this is on a security checklist - having this in Tomcat 6
will lead to more adoption. This is something that ops / admins will look for
in SpringSource tc Server as it is already configurable in Jetty, Weblogic,
Resin, Glassfish, and WebSphere. It's a case where it is better to break the
spec (not by default) for security purposes. I'd love to see it in 6.0.19 if
possible. Running patched makes one second guess everything - I'd like to be
running the same binaries as everyone else.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-04-26 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255


Dillon Sellars dill.sell...@gmail.com changed:

   What|Removed |Added

  Attachment #23284|0   |1
is obsolete||




--- Comment #10 from Dillon Sellars dill.sell...@gmail.com  2009-04-26 
10:26:29 PST ---
Created an attachment (id=23544)
 -- (https://issues.apache.org/bugzilla/attachment.cgi?id=23544)
Updated patch

Good catch, patch updated. 

Added the check to CoyoteAdapter.parseSessionId() - had to move the mapping of
the context up before parseSessionId() and had to move URI decoding before
mapping the context. 

Patches without conflict with the httpOnly changes. 

Changed param in comment / interface from cookies to urlRewriting in Context 
StandardContext.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-04-26 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255





--- Comment #11 from Mark Thomas ma...@apache.org  2009-04-26 14:01:36 PST ---
The Servlet 3.0 spec (ie Tomcat 7 / trunk) includes this as part of the spec.
Look for javax.servlet.SessionTrackingMode

I think this will do everything you are looking for, although it does mean
waiting for Tomcat 7.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-04-24 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255





--- Comment #9 from Folke B. f...@toxis.com  2009-04-24 16:38:05 PST ---
(In reply to comment #7)
 Created an attachment (id=23284)
 -- (https://issues.apache.org/bugzilla/attachment.cgi?id=23284) [details]
 Patch to allow URL rewriting to be disabled
 
 Attaching a proposed patch for review.

We also need to make sure that jsessionid isn't accepted anymore if present.

Please take a look at CoyoteAdapter.parseSessionCookieId() and make the patch
apply the same checks to parseSessionId() with context.getUrlRewriting().

Thanks!

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-04-16 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255


Richard Neish richa...@richardneish.org changed:

   What|Removed |Added

 CC||richa...@richardneish.org




-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-03-23 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255





--- Comment #8 from Dillon Sellars dill.sell...@gmail.com  2009-03-23 
07:34:47 PST ---
It's worth mentioning that checking request.isRequestedSessionIdFromURL() won't
stop session fixation attacks. The first request to Tomcat where a session is
created will put the JSESSIONID in both the cookie and querystring. An attacker
can shoulder-surf and read the JSESSIONID from the URL and craft their own
JSESSIONID cookie.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2009-02-19 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255





--- Comment #7 from Dillon Sellars dill.sell...@gmail.com  2009-02-19 
18:45:27 PST ---
Created an attachment (id=23284)
 -- (https://issues.apache.org/bugzilla/attachment.cgi?id=23284)
Patch to allow URL rewriting to be disabled

Attaching a proposed patch for review.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2008-06-23 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255


quaff [EMAIL PROTECTED] changed:

   What|Removed |Added

 CC||[EMAIL PROTECTED]




-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2008-06-23 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255


Mark Thomas [EMAIL PROTECTED] changed:

   What|Removed |Added

   Severity|critical|enhancement




--- Comment #1 from Mark Thomas [EMAIL PROTECTED]  2008-06-23 01:43:25 PST ---
Please read SRV.7.1 of the servlet spec.

An option could be adding to disable URL-rewriting (noting that this would be
non-spec compliant).

Requests for enahncements that are accompanied by patches tend to get looked at
sooner that those without.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2008-06-23 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255





--- Comment #2 from Rainer Jung [EMAIL PROTECTED]  2008-06-23 01:58:29 PST ---
Hi Mark,

Spec 7.1 seems to say:

- a compliant container may support URL encoded sessions (may be used)
- if it does support them, it has to use the path parameter jsessionid

So if a site decides to only use cookies because of security, it could be an
interesting option to allow not even accepting session IDs which were URL
encoded.

What do you think?


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2008-06-23 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255





--- Comment #3 from Mark Thomas [EMAIL PROTECTED]  2008-06-23 02:32:36 PST ---
SRV.7.1.4 is the important bit for us. If we disable URL-rewriting we break the
spec. That said, I am not against it as an option (probably at the context
level) providing it defaults to off.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2008-06-23 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255





--- Comment #4 from Rainer Jung [EMAIL PROTECTED]  2008-06-23 02:40:39 PST ---
Ahh, of course you are right. I'll see how easy an option is (I guess the
incoming session path parameter and cookie is handled in the connector, and the
context later doesn't know, where the id in the request came from ...).


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2008-06-23 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255





--- Comment #5 from Rainer Jung [EMAIL PROTECTED]  2008-06-23 02:46:58 PST ---
Sorry, again I wrote partial nonsense: there is a
request.isRequestedSessionIdFromURL() in the servlet API. So it is easy for us
to know, but also for the webapp. One could thus prevent session fixation via
the jsessionid path parameter by a simple filter, that invalidates the session,
if request.isRequestedSessionIdFromURL() is true.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

2008-06-23 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255





--- Comment #6 from Mark Thomas [EMAIL PROTECTED]  2008-06-23 02:56:29 PST ---
That would work. If we wanted to make this a Tomcat option the code around the
context configuration option cookies is where I would start.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]