Re: Tomcat 8.0.30 Session lost

Tue, 12 Jan 2016 03:16:41 -0800 

Am 11.01.16 um 22:05 schrieb Mark Thomas:


<Valve className="org.apache.catalina.authenticator.BasicAuthenticator"
   changeSessionIdOnAuthentication="false" />

Found on
http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection
the description how to switch the "feature" off.

I will file two bugs soon describing the issues I had. Hopefully they
will be fixed.

1.) if using HttpServetRequest.login(String, String) further request in
the session are loosing the users Principal.

2.) After changing sessionId, old sessionIds should still be valid for a
short period of time of to the same client.


The second request will get closed as INVALID on security grounds. If
the old ID is valid for any period of time it makes a session fixation
attack possible. You might as well disable changing the session ID on
authentication.

For the first the description above isn't clear enough to be sure
exactly what you are asking for. However, based on the second request
and what I have read of this thread I suspect that request will get
closed as INVALID or WONTFIX.


Hi Mark,


if you choose to use login() and this modifies the session ID. Further 
calls to login() should either:



1.) are not required as every request belonging to the same session are 
already authenticated. After login() other request of the same session 
will not return 'null' on getRemoteUser() or getUserPrincipal()



2.) are not required, as authenticate() use the information provided by 
the first login() call.



3.) do not modify the session ID as the same user was authenticated 
before and the session is therefor safe to session fixation attacks



If login() modifies the session and the session does not track the 
authentication information, session tracking is not deterministic due to 
side effects for multiple requests at a time.



Fixing either #1, #2 or #3 does not harm security at all but will fix 
this bug in Tomcat.



I also tried to use authenticate() on the request, but instead of using 
the last login() credentials it forced the use of Basic Authentication. 
So really I do not see a option left on the developer side, how to use 
login() in a reliable manner.


kind regards

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to