Thanks Konstantin for your quick reply. Actually Security Scanners are thinking that "secure" and "httpOnly" flag is not set and raising as issue. I would like to set these values by overriding "setHeader" or "addHeader" in the ResponseWrapper, but not working. Do you have any idea how we can add these flags to even for cleared cookies? I also understand there is no direct way of dealing the JSESSIONID and JSESSIONSSO cookies.
IMO if tomcat is clearing the Cookie, tomcat can send with empty or NULL value instead of JSESSIONIDSSO cookie exact value. One can argue still this is vulnerable through MitM as the JSESSIONIDSSO cookie value is present. What do you think? -----Original Message----- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Wednesday, June 18, 2014 1:27 PM To: Tomcat Users List Subject: Re: Regarding JSESSIONIDSSO Cookie maintained by tomcat 2014-06-18 10:45 GMT+04:00 Radha Krishna Meduri -X (radmedur - HCL TECHNOLOGIES LIMITED at Cisco) <radme...@cisco.com>: > Hi Tomcat Users, > > We are using Tomcat 6.0.37 version. I have few questions regarding > JSESSIONIDSSO cookie generated by tomcat. > As you know, in general each cookie needs to set "httpOnly" and "Secure" > flags. I understand both JSESSIONID and JSESSIONIDSSO cookies are maintained > by Tomcat for session management. The problem is sometimes "JSESSIONIDSSO" > cookie is not set to "Secure" and "HttpOnly" flags. For example from the > following two responses one time JSESSIONIDSSO is set and other one not. I > would like to know in some scenarios whether this is expected. Your input is > much appreciated. > I could not find any documentation related to this in tomcat.apache.org web > site. > Please help me. > > In different application, I could not find this cookie at all which is using > Tomcat 7.x. Is there any fixes between Tomcat 6.0.37 and Tomcat 7.x related > to JSESSIONIDSSO. > Is there any behavior change? > > HTTP/1.1 200 OK > Pragma: No-cache > Cache-Control: no-store > Expires: Wed, 31 Dec 1969 23:59:59 GMT > Set-Cookie: JSESSIONID=E6AA4F8CD91D557123B23F1FBCDAC137; Path=/admin; > Secure; HttpOnly > Set-Cookie: JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; Path=/; > Secure; HttpOnly > Content-Type: text/html;charset=utf-8 > Date: Tue, 17 Jun 2014 16:18:27 GMT > Server: XYZ > Content-Length: 71916 > > > HTTP/1.1 302 Found > Set-Cookie: JSESSIONIDSSO=CF7B7727443A3AAD1AC3AA033E4D98BE; > Expires=Thu, 01-Jan-1970 00:00:10 GMT > Pragma: No-cache > Cache-Control: no-cache > Expires: Thu, 01 Jan 1970 00:00:00 UTC > Set-Cookie: JSESSIONID=235F4293591E5C72859317ED3294C5A5; Path=/admin; > Secure; HttpOnly > Location: https://X.Y.A.B/admin/login.jsp > Content-Length: 0 > Date: Tue, 17 Jun 2014 16:21:17 GMT > Server: XYZ > With that value of "Expires" the cookie is actually being cleared, not set. The code for clearing the cookie is in o.a.catalina.authenticator.SingleSignOn.invoke(...) [[[ cookie.setMaxAge(0); response.addCookie(cookie); ]]] The code for setting the cookie is in o.a.catalina.authenticator.AuthenticatorBase.register(...) Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
