I've attached 1 patch, 2 modified interceptors, and one new
interceptor. These all work with 3.2b6. Please consider these for
3.2b7. Here is what they do:
CookieTools.patch:
This patch fixes cookie deletion. The problem was that to delete a
cookie, you use
setMaxAge(0). The implementation of CookieTools adds the max age onto
the current time of
the server. Thats fine, but the RFCs refer to setting the time into
the past for
deletion. This patch sets the expire time on the cookie way back into
the past. It at
least fixes it for me.
SessionInterceptor1.java & StandardSessionInterceptor1.java:
This patch modifies the behavior of session cookies. The way the
original worked was
SessionInterceptor would find the first cookie named JSESSIONID, and
store it as the
requested session ID. StandardSessionInterceptor would then check the
requested session
ID to see if it was valid in the selected context. This version
removes the cookie
checking from SessionInterceptor, and moves all the cookie handling to
StandardSessionInterceptor. This gives us access to the context so
that we can check all
the cookies named JSESSIONID to find a valid one for that context.
That allows a / and a
non-/ cookie to both be present and it will still pick the right one.
These two new
interceptors should be used together, and replace the original
SessionInterceptor and
StandardSessionInterceptor. These also set the jvmRoute on the /
context. We can do that
now because it will always get the right session ID for the context.
SessionCookieSanitizer.java:
This is a new interceptor that will hide all cookies named JSESSIONID
that are not valid
sessions from the webapp. In the case of a good app and a malicious
app, if the one
user logged in on the good app, and then accessed the malicious app,
the malicious app
could send the session ID to someone who could then masquerade as the
user in the good
app.
Both SessionInterceptor1 and StandardSessionInterceptor1 are mostly the
same as the originals, but some code has been moved. Sending these as
patches might make it unclear where the changes had occured and why, so
I'm sending them in their entirity.
Paul Frieden
"Craig R. McClanahan" wrote:
>
> It's been a week now, and I've committed > 20 patches to the 3.2 tree,
> ranging from simple tweaks to security problems to spec compliance
> bugs. I believe that I've gotten all of the critical bug reports
> submitted on the mailing lists or via BugRat. Does anyone know of any
> I've missed (see below for one issue I know is outstanding)?
>
> What I'd like to do is build a "beta 7" release this afternoon and post
> it. That will give people a chance to pound on it. Any critical bugs
> we find will need to be fixed, but we need to hold off on changing
> non-essential stuff so we can get a final 3.2 release out the door.
>
> NOTE: One issue that's been discussed in the last couple of days is
> problems supporting the "load balancing" feature for root webapps. I
> haven't seen a proposed patch for this, but understand from the comments
> of people that have tried kludges to work around it -- and it seems
> unreasonable to risk destabilizing things at this late date. I suggest
> that any work on fixing this problem be deferred to a post-3.2-final
> maintenance cycle.
>
> Craig McClanahan
>
> PS: Thanks to everyone for all the bug reports, and to Larry and Nacho
> for chipping in on the commits!
>
> PPS: When the 3.2 final release is completed, my personal focus is
> going to return to the Tomcat 4.0 code base (which does not suffer from
> any of the bugs patched in 3.2, although I did find one 4.0 bug along
> the way :-). If and when bugs show up in 3.2 final, I will be happy to
> commit patches that people supply -- but any big debugging effort or
> major new work on the 3.x track will need to be done by someone else.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
StandardSessionInterceptor1.java
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
