Re: Session hijacking with Tomcat/Myfaces - unable to fix it

[Tomas Hulek]

In this case the chances are relatively high - imagine a company using a
proxy to connect to the Internet. The client IP does not change, a someone
in the company sniffing can easily hijack sessions from his/her colleagues.

Tomas


                                                                           
             "Long"                                                        
             <[EMAIL PROTECTED]                                             
             om>                                                        To 
                                       "Tomcat Users List"                 
             10.08.2006 18:30          <users@tomcat.apache.org>           
                                                                        cc 
                                                                           
             Please respond to                                     Subject 
               "Tomcat Users           Re: Session hijacking with          
                   List"               Tomcat/Myfaces - unable to fix it   
             <[EMAIL PROTECTED]                                             
                 che.org>                                                  
                                                                           
                                                                           
                                                                           
                                                                           




I wonder if associating (and checking) the request IP with the session
would reduce the problem to some acceptable level. What is
the chance of a session being hijacked from the same network (face-ip)?

Another question is can the original request IP be spoofed?

Long

----- Original Message -----
From: "Tomas Hulek" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Thursday, August 10, 2006 12:06 PM
Subject: Re: Session hijacking with Tomcat/Myfaces - unable to fix it


>
> We have tried it, but the internal session attributes where Tomcat stores
> the original request are hidden to application, and are certainly not
> accessible to javax.servlet.* API (and we do try to write PORTABLE
> application, relying on the specification and not on the internals of one
> particular servlet engine).
>
> Commenting on other suggestions
>
> 1) SSL for the whole application is not practical, there are many users
who
> only use the public pages and never log in.
>
> 2) We have implemented one workaround in the login-form
> if the session was not generated under SSL do the following:
>       - invalidate session
>       - create new session and mark it as safe (generated under SSL)
>       - do an external redirect to a fixed, non-public page
>
> The last step will start the whole login process again, this time with a
> safe session ID.
>
>
> I am still not happy with it. A very enhancement in Tomcat would do:
> generate new session ID after switch to HTTPS, based eg. on the SSL
session
> ID (to get a new, unique ID).
>
> Tomas
>
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]