https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Mark Thomas ma...@apache.org changed:
What|Removed |Added
CC||thu...@cz.ibm.com
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #28 from Arvind Srinivasan yoa...@gmail.com 2010-06-04 08:51:33
EDT ---
Should changing the session id of an existing session object be treated the
same as creating a new session i.e. should the session creation listeners be
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Mark Thomas ma...@apache.org changed:
What|Removed |Added
Status|NEW |RESOLVED
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #23 from jcran jc...@0x0e.org 2009-12-30 07:36:31 UTC ---
Really pleased to see this integrated. Thank you Mark / Dillon.
Just to be clear, we're waiting until Tomcat 7 to be able to remove the
JSessionID from the url?
--
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
jcran jc...@0x0e.org changed:
What|Removed |Added
CC||jc...@0x0e.org
--
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #24 from Mark Thomas ma...@apache.org 2009-12-30 07:50:25 GMT ---
(In reply to comment #23)
Really pleased to see this integrated. Thank you Mark / Dillon.
Just to be clear, we're waiting until Tomcat 7 to be able to remove
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #25 from jcran jc...@0x0e.org 2009-12-30 08:14:01 UTC ---
(In reply to comment #24)
...
Yes, but Tomcat 5 6 will change the session ID on authentication which
addresses the root cause of the session fixation. With that fixed
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #26 from Mark Thomas ma...@apache.org 2009-12-30 08:37:02 GMT ---
(In reply to comment #25)
So it appears that the session ID in the URL will be encrypted. I had to do
some sniffing / digging myself -
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Mark Thomas ma...@apache.org changed:
What|Removed |Added
Component|Catalina|Catalina
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #21 from Mark Thomas ma...@apache.org 2009-12-11 09:45:21 GMT ---
I have patched Tomcat 7 to change the session ID on authentication by default.
The same patch has been proposed for 6.0.x and 5.5.x although the default may
be
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #20 from jcran jc...@0x0e.org 2009-12-09 23:59:01 UTC ---
i should be careful. it doesn't prevent all session hijacking. just certain
use-cases. see comments above.
jcran
--
Configure bugmail:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Maxim Valyanskiy max.valjan...@gmail.com changed:
What|Removed |Added
CC|
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Andre Schild a.sch...@aarboard.ch changed:
What|Removed |Added
CC|
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #16 from Rejeev Divakaran rej...@gmail.com 2009-09-23 09:47:24
PDT ---
I think we have mis-understood Session fixation. disabling URL re-write will
not solve session fixation.
Please refer to
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Rejeev Divakaran rej...@gmail.com changed:
What|Removed |Added
CC|
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #17 from Mark Thomas ma...@apache.org 2009-09-23 18:20:36 BST ---
Actually, preventing the use of the session ID in the URL goes a long way to
preventing session fixation as it blocks the most easily exploited attack
vectors.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #15 from Giampaolo Tomassoni giampa...@tomassoni.biz 2009-08-31
06:10:36 PDT ---
I would urge to put Sellars' patch into the next Tomcat 6 version. It may not
be the final weapon against session fixation (also a cookie-based
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Kalpesh Patel kalpes...@directi.com changed:
What|Removed |Added
CC|
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
webdev web...@blizzard.com changed:
What|Removed |Added
CC||web...@blizzard.com
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #12 from Folke B. f...@toxis.com 2009-04-27 09:08:54 PST ---
(In reply to comment #11)
The Servlet 3.0 spec (ie Tomcat 7 / trunk) includes this as part of the spec.
Look for javax.servlet.SessionTrackingMode
I think
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #13 from Dillon Sellars dill.sell...@gmail.com 2009-04-27
13:36:42 PST ---
At least where I work this is on a security checklist - having this in Tomcat 6
will lead to more adoption. This is something that ops / admins
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Dillon Sellars dill.sell...@gmail.com changed:
What|Removed |Added
Attachment #23284|0 |1
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #11 from Mark Thomas ma...@apache.org 2009-04-26 14:01:36 PST ---
The Servlet 3.0 spec (ie Tomcat 7 / trunk) includes this as part of the spec.
Look for javax.servlet.SessionTrackingMode
I think this will do everything you
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #9 from Folke B. f...@toxis.com 2009-04-24 16:38:05 PST ---
(In reply to comment #7)
Created an attachment (id=23284)
-- (https://issues.apache.org/bugzilla/attachment.cgi?id=23284) [details]
Patch to allow URL rewriting
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Richard Neish richa...@richardneish.org changed:
What|Removed |Added
CC|
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #8 from Dillon Sellars dill.sell...@gmail.com 2009-03-23
07:34:47 PST ---
It's worth mentioning that checking request.isRequestedSessionIdFromURL() won't
stop session fixation attacks. The first request to Tomcat where a
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #7 from Dillon Sellars dill.sell...@gmail.com 2009-02-19
18:45:27 PST ---
Created an attachment (id=23284)
-- (https://issues.apache.org/bugzilla/attachment.cgi?id=23284)
Patch to allow URL rewriting to be disabled
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
quaff [EMAIL PROTECTED] changed:
What|Removed |Added
CC||[EMAIL PROTECTED]
--
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Mark Thomas [EMAIL PROTECTED] changed:
What|Removed |Added
Severity|critical|enhancement
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #2 from Rainer Jung [EMAIL PROTECTED] 2008-06-23 01:58:29 PST ---
Hi Mark,
Spec 7.1 seems to say:
- a compliant container may support URL encoded sessions (may be used)
- if it does support them, it has to use the path
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #3 from Mark Thomas [EMAIL PROTECTED] 2008-06-23 02:32:36 PST ---
SRV.7.1.4 is the important bit for us. If we disable URL-rewriting we break the
spec. That said, I am not against it as an option (probably at the context
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #4 from Rainer Jung [EMAIL PROTECTED] 2008-06-23 02:40:39 PST ---
Ahh, of course you are right. I'll see how easy an option is (I guess the
incoming session path parameter and cookie is handled in the connector, and the
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #5 from Rainer Jung [EMAIL PROTECTED] 2008-06-23 02:46:58 PST ---
Sorry, again I wrote partial nonsense: there is a
request.isRequestedSessionIdFromURL() in the servlet API. So it is easy for us
to know, but also for the
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #6 from Mark Thomas [EMAIL PROTECTED] 2008-06-23 02:56:29 PST ---
That would work. If we wanted to make this a Tomcat option the code around the
context configuration option cookies is where I would start.
--
Configure
34 matches
Mail list logo
