It has more to do with a bug in SimpleSessionStore.java. It recycles the
session on create, so then the instance is re-used for the next new session.
I've patched it via:
*** SimpleSessionStore.java.orig Mon Feb 26 14:59:53 2001
--- SimpleSessionStore.java Wed Feb 28 09:36:40 2001
***************
*** 426,432 ****
if (session == null) {
session = new ServerSession();
session.setManager( this );
- recycled.put( session );
}
// XXX can return MessageBytes !!!
--- 426,431 ----
----- Original Message -----
From: "GOMEZ Henri" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, February 28, 2001 8:59 AM
Subject: RE: [Security Issue] Sessions are visible across multiple clients
> Probably partially resolved by the patch I forward previously.
> From M. Frey....
>
> La prise de conscience de votre propre ignorance est un grand pas vers la
> connaissance.
> -- Benjamin Disraeli
>
>
> >-----Original Message-----
> >From: Amrhein, Thomas [mailto:[EMAIL PROTECTED]]
> >Sent: Wednesday, February 28, 2001 5:59 PM
> >To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> >Subject: [Security Issue] Sessions are visible across multiple clients
> >
> >
> >Hi all,
> >
> >one session can be visible on multiple clients!!
> >
> >THIS IS A BIG SECURITY PROBLEM!
> >
> >Someone opens his webbrowser and has the session of somebody else.
> >So critical data could be viewed without permission.
> >Somebody can act as somebody else.
> >
> >What's wrong with tomcat's session-handling?
> >
> >I wrote a web application which can reproduce this.
> >
> >I'm working with Tomcat 3.3m1 on WinNT4.
> >On 3.2 I have the same problems sometimes with our application
> >but it is not reproducable there.
> >
> >To reproduce this:
> >- put sessiontest.war in %TOMCAT_HOME%/webapps/
> >- start Tomcat
> >- open browser1 (Netscape 4.7 or IE5) on machine1 (close it
> >before if it's
> >already open)
> >- locate browser1 on http://yourtomcat/sessiontest/index.jsp
> >(a cookie will
> >be set)
> >- browser1: login with name for example 'Testuser1'
> >- browser1: show settings (The name is displayed)
> >- open browser2 on machine2 (close it before if it's already open)
> >- locate browser2 on http://yourtomcat/sessiontest/index.jsp
> >(a cookie will
> >be set)
> >
> >Browser2 now sees the same content like browser1 (logged in as
> >Testuser1).
> >Look for the sourcecode in the .war. All objects are session-bound.
> >Normally you should not be logged in.
> >Remember that you are on different machines! They should have different
> >cookies, different
> >sessions, different usernames.
> >Sometimes but not often, they have the same Session-ID (I can
> >not reproduce
> >this).
> >
> >Bug #723: sessions are not properly recycled
> >Perhaps my issue belongs to this.
> >
> >I've seen different bugs reported but not solved belonging to
> >session-handling.
> >#131,152,183,189,267,429,723,731
> >
> >Can somebody reproduce this behaviour somewhere else?
> >And can this behaviour also happen in Tomcat 3.2/3.2.1 (I
> >don't know the
> >code)?
> >
> >regards,
> >
> >Thomas
> >
> >PS: I'm new to tomcat-dev-mailinglist (two or three hours) to
> >stay tuned.
> >Perhaps it's already discussed and patched. Please inform me.
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
