Re: Res: Res: Res: JSESSIONID Cookie handle customizing

2010-10-16 Thread Pid 
On 16/10/2010 13:55, Juliano Daloia de Carvalho wrote:
> yes Pid, we can say that is a kind of encryption.

What do you gain by encrypting the session id?

> do you know which is the first tomcat class that receives the client request? 
>
> do you know which is the last tomcat class that is used before send the 
> response to the client?

It's not that simple.

Mark told you how to modify the session id in a previous email.

You've stated that you want to change the session id, but also that you
want to add an attribute to the request.  The term 'attribute' has
special meaning when talking about Servlet requests.

You may find it difficult to modify the session id and add stuff to the
request in the same code.


I really think you should explain what it is you're trying to achieve,
and why; more meaningful advice is difficult without an understanding
what the goal is.


Regardless, the Tomcat source code is available for anyone to examine
and connecting a profiler or VisualVM to a running Tomcat will give you
a vast amount of information to use.


p






0x62590808.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Res: Res: Res: JSESSIONID Cookie handle customizing

2010-10-16 Thread Juliano Daloia de Carvalho 
yes Pid, we can say that is a kind of encryption.

do you know which is the first tomcat class that receives the client request? 

do you know which is the last tomcat class that is used before send the 
response 
to the client?

tks.
 
Juliano



- Mensagem original 
De: Pid * 
Para: Tomcat Users List 
Enviadas: Sábado, 16 de Outubro de 2010 4:01:23
Assunto: Re: Res: Res: JSESSIONID Cookie handle customizing

So you want encrypt the session id?


p


On 15 Oct 2010, at 17:33, Juliano Daloia de Carvalho
 wrote:

> I need to change the value of the sessionID. If I let this to be done on the
> servlet, tomcat won't be able to identify the real session, and will send a
> redirect to login page.
>
>
>
>
> - Mensagem original 
> De: Pid 
> Para: Tomcat Users List 
> Enviadas: Sexta-feira, 15 de Outubro de 2010 13:19:54
> Assunto: Re: Res: JSESSIONID Cookie handle customizing
>
> On 15/10/2010 17:02, Juliano Daloia de Carvalho wrote:
>> I'll inject code using an agent.
>>
>> The thing is that I need to know for sure the message entering point on 
>Tomcat,
>>
>> and the leaving point also, so I can be able to sniff if the clients message
>> has
>>
>> the Cookie info with JSESSIONID= or not. and before sending to check if 
tomcat
>
>> sent set-cookie on header so I can make the change needed.
>
> Why?  What does the code do that can't be done via a Servlet Filter?
>
>
> p
>
>
>> - Mensagem original 
>> De: Pid 
>> Para: Tomcat Users List 
>> Enviadas: Sexta-feira, 15 de Outubro de 2010 12:20:37
>> Assunto: Re: JSESSIONID Cookie handle customizing
>>
>> On 15/10/2010 15:15, Juliano Daloia de Carvalho wrote:
>>> Hi Folks!
>>>
>>>   I want to put some information on the JSESSIONID that tomcat 
generates.
>>
>>
>>> I'm using aspect programming so I don´t need to change the tomcat code 
>itself.
>>
>>
>>
>> What information?
>>
>>> The
>>>
>>> thing is that I found many points where tomcat handle this information, I
>>> checked and notice that the head parser is made on the method parseSessionId
>>> and
>>>
>>>
>>> parseSessionCookiesId in the class
>> org.apache.catalina.connector.CoyoteAdapter.
>>>
>>> I'm not convinced that there is the perfect point to make my code injection.
>>
>> You are planning to inject code into the container, from a web application?
>>
>>
>> p
>>
>>> I need to find out the exactly point that this information (Cookie
>>> JSESSIONID=22) is received by Tomcat and where tomcat sends this
>>> information to the browser, in other words, the first contact with this
>>> information
>>>
>>> when browser sends and the last contact before sending to browser.
>>>
>>>
>>> Thanks.
>>>
>>>
>>> Juliano
>>>
>>>
>>>
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>
>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Res: Res: Res: JSESSIONID Cookie handle customizing

2010-10-15 Thread Juliano Daloia de Carvalho 
Mark, I do not want to change how tomcat handle the sessionId.

I want to create one little class that handle on the server side the cookie 
information that can come on the header, make a preprocessing which will create 
one another information that I want to put on the attributes of the request. 

I do not want to change nothing on how tomcat handle session id.

I just need to process the request header before tomcat use it, so I can make 
the operation and create a new attribute and put the session id that tomcat 
knows.

I just need to know the first class on tomcat that receives the message from 
the 
client and the last one before send it to the client.

Tks

Juliano



- Mensagem original 
De: Mark Thomas 
Para: Tomcat Users List 
Enviadas: Sexta-feira, 15 de Outubro de 2010 13:56:07
Assunto: Re: Res: Res: JSESSIONID Cookie handle customizing

On 15/10/2010 17:47, Juliano Daloia de Carvalho wrote:
> Chuck, I can't say explicit why I need to use this info on the session. but 
> is 

> related with security issues.
>  
> and you are right, is much more plausible to make this as you said, but I 
> can't afford to do that.

If you need to control the session ID then the right way to do this is
to extend the Manager and override generateSessionId(). Anything else is
going to be fragile, particularly when you factor in that Tomcat will
change the session ID on authentication to prevent session fixation.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org