Is there a way to disable the Tomcat server (5.5) from accepting sessions that are sent in the URL using jsessionid? This would be useful in preventing certain session fixation attacks. Basically, I would want sessions to be accepted only if they are sent using a cookie.
Specifically, I am concerned about the following scenario: 1) Attacker sends a simple HTTP Get to server (http://www.example.com/test). The server returns a response with a Set-Cookie header for JSESSIONID. Say that this cookie value is 1234. 2) Attacker sends victim a link of the form http://www.example.com/test;jsessionid=1234 3) Victim clicks the link. The server accepts that its session with the victim is 1234 since it is a valid session. 4) Victim authenticates to the site (presuming that jessionid is preserved in all interactions with the webapp) 5) Attacker can impersonate victim since the attacker knows the session id of the victim. While the victim did make a mistake by clicking on the link, it is unlikely that the victim knew the implications of clicking on a link with a valid jsessionid in the URL. This could be prevented at step 3 by the server rejecting any sessions that are sent via URL. I have not found this option in the docs, and looking through the code, there does not appear to be a way to prevent this behavior. The "cookies" attribute in the Context element does not change this behavior. Even if "cookies" is set to true, sessions sent in the URL are accepted by Tomcat for determining the HttpSession of the request. It would be easy to do deny this in a servlet or in a filter by using the HttpServletRequest class's isRequestedSessionIdFromCookie() method. However, I was hoping for a way to do this for all webapps and all servlets via configuration. Thoughts? Thanks in advance for any help. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
