-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Konstantin,
On 9/28/12 10:27 AM, Konstantin Kolinko wrote: > 2012/9/28 Joan Morales <joan....@gmail.com>: >> Hi, >> >> I have a security issue (hijack session) with JSESSIONID cookie, >> >> here is the problem: >> >> I am using an architecture with an Apache2 server in front of >> Tomcat, I have configured the SSL in both sides >> Apache(ssl_module) and Tomcat(Conectors JSSE), >> >> 1) I tried using a connectio via AJP protocol to connect between >> Apache2 and Tomcat using the following configuration on the >> server.xml: >> >> APACHE(httpd) via HTTP/HTTPS <VirtualHost *:80> ProxyPass / >> http://localhost:8080/ <http://educaixahost:8080/> >> ProxyPassReverse / http://localhost:8080/ >> <http://educaixahost:8080/> </VirtualHost> >> >> via AJP <VirtualHost *:80> ProxyPass / ajp://localhost:8009/ >> <http://educaixahost:8080/> ProxyPassReverse / >> ajp://localhost:8009/ <http://educaixahost:8080/> </VirtualHost> >> >> <VirtualHost *:443> ServerAdmin ad...@mail.com ServerName >> localhost:443 SSLProxyEngine on SSLEngine on SSLCertificateFile >> "c:/usr/SSL/name.crt" SSLCertificateKeyFile >> "c:/usr/SSL/name.key" ProxyPass / https://localhost:8443/ >> ProxyPassReverse / https://localhost:8443/ </VirtualHost> >> >> Tomcat (server.xml) >> >> <Connector URIEncoding="UTF-8" connectionTimeout="20000" >> port="8080" protocol="HTTP/1.1" redirectPort="8443" >> secure="true"/> <Connector URIEncoding="UTF-8" port="8009" >> protocol="AJP/1.3" redirectPort="8443" scheme="https" >> secure="true"/> >> >> Results for this solution: I still can get the JSESSIONID cookie >> >> 2) I tried using the HTTP/S protocol to connect between Apache2 >> and tomcat using the following configurationl: >> >> Apache: Same configuration >> >> Tomcat (server.xml): >> >> <Connector URIEncoding="UTF-8" connectionTimeout="20000" >> port="8080" protocol="HTTP/1.1" redirectPort="8443"/> >> >> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" >> maxThreads="150" scheme="https" secure="true" >> keystoreFile="path/name.keystore" keystorePass="password" >> clientAuth="false" sslProtocol="TLS" /> >> >> I also added this on the web.xml: >> >> <session-config> <session-timeout>30</session-timeout> >> <tracking-mode>SSL</tracking-mode> </session-config> >> >> Results for this solution: >> >> The JSESSIONID cookie disappears OK Everything works OK if I >> access directly to the tomcat and bypass the apache, >> (localhost:8443), I can login into the web page and keep the >> seesion in every link inside the app >> >> but, when try to access trought the Apache in https in port 443 , >> ( https://localhost:443 <https://localhost/>), I can login the >> first time but when I try to access somewhere else in the app I >> lose the user session and the app log me out, I checked over the >> logs and there are no error neither in apache nor tomcat >> >> So, Is this solution implementable under this architecture? Am I >> missing some configurations? >> > > So you are trying to do > > Browser -> (HTTPS) -> Apache HTTPD -> (HTTPS) -> Tomcat > > In this case there are 2 different HTTPS connections. > > <session-config> <session-timeout>30</session-timeout> > <tracking-mode>SSL</tracking-mode> </session-config> > > The above "SSL" session tracking configuration wouldn't work, > because from Tomcat's point of view the only connection that it > sees is the one from Apache HTTPD. It knows "sslSession" identifier > of this connection only. > > To use "SSL" session tracking you should connect to Tomcat > directly. What about using Browser -> (HTTPS) -> httpd -> (AJP) - Tomcat? Since httpd forwards all the SSL information, can Tomcat sniff that and successfully use SSL-based session identification? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBl2jIACgkQ9CaO5/Lv0PAYBwCfe+61S3DHa+VBsCLz5Ca9LYfl Tl4An0o8OI43y/ZJ8QIve5EM1FXZFPSh =7NU3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org