On Thu, Sep 07, 2006 at 06:33:41PM -0400, Chetan Sabnis wrote: > Is there a way to disable the Tomcat server (5.5) from accepting > sessions that are sent in the URL using jsessionid? This would be > useful in preventing certain session fixation attacks. Basically, I > would want sessions to be accepted only if they are sent using a > cookie. > > Specifically, I am concerned about the following scenario: > > 1) Attacker sends a simple HTTP Get to server > (http://www.example.com/test). The server returns a response with a > Set-Cookie header for JSESSIONID. Say that this cookie value is 1234. > 2) Attacker sends victim a link of the form > http://www.example.com/test;jsessionid=1234 > 3) Victim clicks the link. The server accepts that its session with > the victim is 1234 since it is a valid session. > 4) Victim authenticates to the site (presuming that jessionid is > preserved in all interactions with the webapp)
4a) site login action calls session.invalidate() followed by request.getSession() to get a new session to defeat this attack. > 5) Attacker can impersonate victim since the attacker knows the > session id of the victim. > Or, you could write a filter that checks request.isRequestedSessionIdFromURL() and invalidates the session if it is. btw, if there is a cookie set, that overrides anything provided in the url. eric --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]