If you're using apache httpd as a front end you can handle this with a rewrite rule:
RewriteRule (.*);jsessionid.* $1 I do this for a different reason - when my users go to the top level url they are redirected to a login page that includes the jsessionid in the new url. They then bookmark the page (session id included) and end up reusing it. It is possible (though unlikely) to have two users conflict on a single session id this way, so I eliminate the possibility entirely. -marc --- Chetan Sabnis <[EMAIL PROTECTED]> wrote: > Is there a way to disable the Tomcat server (5.5) > from accepting > sessions that are sent in the URL using jsessionid? > This would be > useful in preventing certain session fixation > attacks. Basically, I > would want sessions to be accepted only if they are > sent using a > cookie. > > Specifically, I am concerned about the following > scenario: > > 1) Attacker sends a simple HTTP Get to server > (http://www.example.com/test). The server returns a > response with a > Set-Cookie header for JSESSIONID. Say that this > cookie value is 1234. > 2) Attacker sends victim a link of the form > http://www.example.com/test;jsessionid=1234 > 3) Victim clicks the link. The server accepts that > its session with > the victim is 1234 since it is a valid session. > 4) Victim authenticates to the site (presuming that > jessionid is > preserved in all interactions with the webapp) > 5) Attacker can impersonate victim since the > attacker knows the > session id of the victim. > > While the victim did make a mistake by clicking on > the link, it is > unlikely that the victim knew the implications of > clicking on a link > with a valid jsessionid in the URL. This could be > prevented at step 3 > by the server rejecting any sessions that are sent > via URL. I have > not found this option in the docs, and looking > through the code, there > does not appear to be a way to prevent this > behavior. > > The "cookies" attribute in the Context element does > not change this > behavior. Even if "cookies" is set to true, > sessions sent in the URL > are accepted by Tomcat for determining the > HttpSession of the request. > > It would be easy to do deny this in a servlet or in > a filter by using > the HttpServletRequest class's > isRequestedSessionIdFromCookie() > method. However, I was hoping for a way to do this > for all webapps > and all servlets via configuration. Thoughts? > > Thanks in advance for any help. > > --------------------------------------------------------------------- > To start a new topic, e-mail: > users@tomcat.apache.org > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
