On Thu, Sep 07, 2006 at 06:33:41PM -0400, Chetan Sabnis wrote:
> Is there a way to disable the Tomcat server (5.5) from accepting
> sessions that are sent in the URL using jsessionid? This would be
> useful in preventing certain session fixation attacks. Basically, I
> would want sessions to be accepted only if they are sent using a
> cookie.
>
> Specifically, I am concerned about the following scenario:
>
> 1) Attacker sends a simple HTTP Get to server
> (http://www.example.com/test). The server returns a response with a
> Set-Cookie header for JSESSIONID. Say that this cookie value is 1234.
> 2) Attacker sends victim a link of the form
> http://www.example.com/test;jsessionid=1234
> 3) Victim clicks the link. The server accepts that its session with
> the victim is 1234 since it is a valid session.
> 4) Victim authenticates to the site (presuming that jessionid is
> preserved in all interactions with the webapp)
4a) site login action calls session.invalidate() followed by
request.getSession() to get a new session to defeat this attack.
> 5) Attacker can impersonate victim since the attacker knows the
> session id of the victim.
>
Or, you could write a filter that checks request.isRequestedSessionIdFromURL()
and invalidates the session if it is. btw, if there is a cookie set, that
overrides anything provided in the url.
eric
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
