DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 Mark Thomas ma...@apache.org changed: What|Removed |Added CC||thu...@cz.ibm.com --- Comment #29 from Mark Thomas ma...@apache.org 2010-08-25 15:01:59 EDT --- *** Bug 40222 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #28 from Arvind Srinivasan yoa...@gmail.com 2010-06-04 08:51:33 EDT --- Should changing the session id of an existing session object be treated the same as creating a new session i.e. should the session creation listeners be triggered? http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/ManagerBase.java?r1=903083r2=918761 invokes setId() which in turn invokes the session creation listeners in tellNew(). -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #27 from Mark Thomas ma...@apache.org 2010-03-03 23:12:24 UTC --- The ability to change the session ID on authentication has been added to 5.5.x and will be included in 5.5.29 onwards. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #23 from jcran jc...@0x0e.org 2009-12-30 07:36:31 UTC --- Really pleased to see this integrated. Thank you Mark / Dillon. Just to be clear, we're waiting until Tomcat 7 to be able to remove the JSessionID from the url? -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 jcran jc...@0x0e.org changed: What|Removed |Added CC||jc...@0x0e.org -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #24 from Mark Thomas ma...@apache.org 2009-12-30 07:50:25 GMT --- (In reply to comment #23) Really pleased to see this integrated. Thank you Mark / Dillon. Just to be clear, we're waiting until Tomcat 7 to be able to remove the JSessionID from the url? Yes, but Tomcat 5 6 will change the session ID on authentication which addresses the root cause of the session fixation. With that fixed whether or not the session ID is in the URL is moot. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #25 from jcran jc...@0x0e.org 2009-12-30 08:14:01 UTC --- (In reply to comment #24) ... Yes, but Tomcat 5 6 will change the session ID on authentication which addresses the root cause of the session fixation. With that fixed whether or not the session ID is in the URL is moot. So it appears that the session ID in the URL will be encrypted. I had to do some sniffing / digging myself - http://answers.google.com/answers/threadview/id/758002.html - but it's still bad practice, and introduces vulnerability. Consider the case of a proxy server, or of your own browser history. If you take a look, you'll see that jsessionid's are getting cached in the history, regardless of whether they were handed out after authentication or not. That aside, there's no reason that the browser couldn't cache the entire response, thus making this whole point moot -- it just doesn't out of the box. Removing the session ID from the URL would prevent browser history caching of a Session ID. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #26 from Mark Thomas ma...@apache.org 2009-12-30 08:37:02 GMT --- (In reply to comment #25) So it appears that the session ID in the URL will be encrypted. I had to do some sniffing / digging myself - http://answers.google.com/answers/threadview/id/758002.html - but it's still bad practice, and introduces vulnerability. This is FUD. There is no vulnerability here. Consider the case of a proxy server, or of your own browser history. If you take a look, you'll see that jsessionid's are getting cached in the history, regardless of whether they were handed out after authentication or not. That aside, there's no reason that the browser couldn't cache the entire response, thus making this whole point moot -- it just doesn't out of the box. Removing the session ID from the URL would prevent browser history caching of a Session ID. More FUD. The situations you describe are not vulnerabilities. Since Bugzilla is neither a support forum nor a discussion forum, if you wish to continue this discussion further, please do so on the users list. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 Mark Thomas ma...@apache.org changed: What|Removed |Added Component|Catalina|Catalina Version|unspecified |5.5.28 Product|Tomcat 6|Tomcat 5 Target Milestone|default |--- --- Comment #22 from Mark Thomas ma...@apache.org 2009-12-19 17:05:23 GMT --- The patch has been applied to 6.0.x and will be included in 6.0.21 onwards. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #21 from Mark Thomas ma...@apache.org 2009-12-11 09:45:21 GMT --- I have patched Tomcat 7 to change the session ID on authentication by default. The same patch has been proposed for 6.0.x and 5.5.x although the default may be not to change the session ID. With this patch applied the situation is: Tomcat 7 - Not vulnerable by default since session ID changes on authentication - If this default is changed by the user (eg because the application can't handle a changing session ID) then the risks may be minimised by disabling session tracking via URL (a new feature in Servlet 3) Tomcat 5 6 - Can be prevented by enabling changing the session ID on authentication (if there is insufficient support for this to be enabled by default) - If the application can't handle a changing session ID then the risks may be minimised by writing a custom filter that checks request.isRequestedSessionIdFromURL() and responds accordingly (eg rejecting the request) With these changes in place, although there will not be an option to disabled URL re-writing, I believe that there will be sufficient options to prevent session fixation which is, after all, the reason behind the request to be able to disable URL rewriting. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #20 from jcran jc...@0x0e.org 2009-12-09 23:59:01 UTC --- i should be careful. it doesn't prevent all session hijacking. just certain use-cases. see comments above. jcran -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 Maxim Valyanskiy max.valjan...@gmail.com changed: What|Removed |Added CC||max.valjan...@gmail.com -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 Andre Schild a.sch...@aarboard.ch changed: What|Removed |Added CC||a.sch...@aarboard.ch --- Comment #18 from Andre Schild a.sch...@aarboard.ch 2009-11-17 11:48:35 UTC --- A good document describing session fixation can be found here: http://www.acros.si/papers/session_fixation.pdf Just disabling the usage of jsessionid= in the URL does not solve the problem, it just closes one of many open doors. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #16 from Rejeev Divakaran rej...@gmail.com 2009-09-23 09:47:24 PDT --- I think we have mis-understood Session fixation. disabling URL re-write will not solve session fixation. Please refer to http://www.owasp.org/index.php/Session_Fixation and http://rejeev.blogspot.com/2009/09/session-fixation_08.html The correct solution for Session fixation is to create new Session cookie each time an authentication happens (discard old cookie and send new cookie to client after authentication). -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 Rejeev Divakaran rej...@gmail.com changed: What|Removed |Added CC||rej...@gmail.com -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #17 from Mark Thomas ma...@apache.org 2009-09-23 18:20:36 BST --- Actually, preventing the use of the session ID in the URL goes a long way to preventing session fixation as it blocks the most easily exploited attack vectors. There would remain an issue with cookies but that should be limited to 3rd party cookies which may not be an issue for many situations. You are correct that changing the session ID on authentication will resolve all session fixation attacks. However, changing the session ID may also cause application breakage. It may also cause internal breakage for things like session replication. There would need to be some very careful testing. Whilst each of these techniques can be achieved by web applications (some more easily than others), there is clearly some scope for adding options to Tomcat so the container handles this transparently. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #15 from Giampaolo Tomassoni giampa...@tomassoni.biz 2009-08-31 06:10:36 PDT --- I would urge to put Sellars' patch into the next Tomcat 6 version. It may not be the final weapon against session fixation (also a cookie-based attack seems possibile to me), but it is definitely good in fixing plenty of problems with search engines and ugly URLs... -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 Kalpesh Patel kalpes...@directi.com changed: What|Removed |Added CC||kalpes...@directi.com --- Comment #14 from Kalpesh Patel kalpes...@directi.com 2009-06-29 03:35:12 PST --- I think this option will be realy usefull to fight against session fixation problem. Looking forward to have this patched in tomcat 6. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 webdev web...@blizzard.com changed: What|Removed |Added CC||web...@blizzard.com -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #12 from Folke B. f...@toxis.com 2009-04-27 09:08:54 PST --- (In reply to comment #11) The Servlet 3.0 spec (ie Tomcat 7 / trunk) includes this as part of the spec. Look for javax.servlet.SessionTrackingMode I think this will do everything you are looking for, although it does mean waiting for Tomcat 7. Sadly, Tomcat 7 may not be an option for many of us for a long time. I had to fight really hard for the switch to Tomcat 6. Please reconsider applying this small patch to Tomcat 6 because session fixation is a real threat. Though it's reassuring to have Tomcat abide by the rules by default, it wouldn't hurt to give users more options, even spec breaking options, especially when it comes to security. I'd rather have Tomcat warn me that the webapp is deployed into a non-compliant context than putting my client's data at risk. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #13 from Dillon Sellars dill.sell...@gmail.com 2009-04-27 13:36:42 PST --- At least where I work this is on a security checklist - having this in Tomcat 6 will lead to more adoption. This is something that ops / admins will look for in SpringSource tc Server as it is already configurable in Jetty, Weblogic, Resin, Glassfish, and WebSphere. It's a case where it is better to break the spec (not by default) for security purposes. I'd love to see it in 6.0.19 if possible. Running patched makes one second guess everything - I'd like to be running the same binaries as everyone else. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 Dillon Sellars dill.sell...@gmail.com changed: What|Removed |Added Attachment #23284|0 |1 is obsolete|| --- Comment #10 from Dillon Sellars dill.sell...@gmail.com 2009-04-26 10:26:29 PST --- Created an attachment (id=23544) -- (https://issues.apache.org/bugzilla/attachment.cgi?id=23544) Updated patch Good catch, patch updated. Added the check to CoyoteAdapter.parseSessionId() - had to move the mapping of the context up before parseSessionId() and had to move URI decoding before mapping the context. Patches without conflict with the httpOnly changes. Changed param in comment / interface from cookies to urlRewriting in Context StandardContext. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #11 from Mark Thomas ma...@apache.org 2009-04-26 14:01:36 PST --- The Servlet 3.0 spec (ie Tomcat 7 / trunk) includes this as part of the spec. Look for javax.servlet.SessionTrackingMode I think this will do everything you are looking for, although it does mean waiting for Tomcat 7. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #9 from Folke B. f...@toxis.com 2009-04-24 16:38:05 PST --- (In reply to comment #7) Created an attachment (id=23284) -- (https://issues.apache.org/bugzilla/attachment.cgi?id=23284) [details] Patch to allow URL rewriting to be disabled Attaching a proposed patch for review. We also need to make sure that jsessionid isn't accepted anymore if present. Please take a look at CoyoteAdapter.parseSessionCookieId() and make the patch apply the same checks to parseSessionId() with context.getUrlRewriting(). Thanks! -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 Richard Neish richa...@richardneish.org changed: What|Removed |Added CC||richa...@richardneish.org -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #8 from Dillon Sellars dill.sell...@gmail.com 2009-03-23 07:34:47 PST --- It's worth mentioning that checking request.isRequestedSessionIdFromURL() won't stop session fixation attacks. The first request to Tomcat where a session is created will put the JSESSIONID in both the cookie and querystring. An attacker can shoulder-surf and read the JSESSIONID from the URL and craft their own JSESSIONID cookie. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #7 from Dillon Sellars dill.sell...@gmail.com 2009-02-19 18:45:27 PST --- Created an attachment (id=23284) -- (https://issues.apache.org/bugzilla/attachment.cgi?id=23284) Patch to allow URL rewriting to be disabled Attaching a proposed patch for review. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 quaff [EMAIL PROTECTED] changed: What|Removed |Added CC||[EMAIL PROTECTED] -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 Mark Thomas [EMAIL PROTECTED] changed: What|Removed |Added Severity|critical|enhancement --- Comment #1 from Mark Thomas [EMAIL PROTECTED] 2008-06-23 01:43:25 PST --- Please read SRV.7.1 of the servlet spec. An option could be adding to disable URL-rewriting (noting that this would be non-spec compliant). Requests for enahncements that are accompanied by patches tend to get looked at sooner that those without. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #2 from Rainer Jung [EMAIL PROTECTED] 2008-06-23 01:58:29 PST --- Hi Mark, Spec 7.1 seems to say: - a compliant container may support URL encoded sessions (may be used) - if it does support them, it has to use the path parameter jsessionid So if a site decides to only use cookies because of security, it could be an interesting option to allow not even accepting session IDs which were URL encoded. What do you think? -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #3 from Mark Thomas [EMAIL PROTECTED] 2008-06-23 02:32:36 PST --- SRV.7.1.4 is the important bit for us. If we disable URL-rewriting we break the spec. That said, I am not against it as an option (probably at the context level) providing it defaults to off. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #4 from Rainer Jung [EMAIL PROTECTED] 2008-06-23 02:40:39 PST --- Ahh, of course you are right. I'll see how easy an option is (I guess the incoming session path parameter and cookie is handled in the connector, and the context later doesn't know, where the id in the request came from ...). -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #5 from Rainer Jung [EMAIL PROTECTED] 2008-06-23 02:46:58 PST --- Sorry, again I wrote partial nonsense: there is a request.isRequestedSessionIdFromURL() in the servlet API. So it is easy for us to know, but also for the webapp. One could thus prevent session fixation via the jsessionid path parameter by a simple filter, that invalidates the session, if request.isRequestedSessionIdFromURL() is true. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #6 from Mark Thomas [EMAIL PROTECTED] 2008-06-23 02:56:29 PST --- That would work. If we wanted to make this a Tomcat option the code around the context configuration option cookies is where I would start. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]