Did anyone ever find a easy/clean way to disable JSESSIONID on a standalone tomcat server (so not using apache url rewriting)?
Thanks, R Chetan Sabnis wrote: > > Is there a way to disable the Tomcat server (5.5) from accepting > sessions that are sent in the URL using jsessionid? This would be > useful in preventing certain session fixation attacks. Basically, I > would want sessions to be accepted only if they are sent using a > cookie. > > Specifically, I am concerned about the following scenario: > > 1) Attacker sends a simple HTTP Get to server > (http://www.example.com/test). The server returns a response with a > Set-Cookie header for JSESSIONID. Say that this cookie value is 1234. > 2) Attacker sends victim a link of the form > http://www.example.com/test;jsessionid=1234 > 3) Victim clicks the link. The server accepts that its session with > the victim is 1234 since it is a valid session. > 4) Victim authenticates to the site (presuming that jessionid is > preserved in all interactions with the webapp) > 5) Attacker can impersonate victim since the attacker knows the > session id of the victim. > > While the victim did make a mistake by clicking on the link, it is > unlikely that the victim knew the implications of clicking on a link > with a valid jsessionid in the URL. This could be prevented at step 3 > by the server rejecting any sessions that are sent via URL. I have > not found this option in the docs, and looking through the code, there > does not appear to be a way to prevent this behavior. > > The "cookies" attribute in the Context element does not change this > behavior. Even if "cookies" is set to true, sessions sent in the URL > are accepted by Tomcat for determining the HttpSession of the request. > > It would be easy to do deny this in a servlet or in a filter by using > the HttpServletRequest class's isRequestedSessionIdFromCookie() > method. However, I was hoping for a way to do this for all webapps > and all servlets via configuration. Thoughts? > > Thanks in advance for any help. > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/configuration-setting-to-disable-URL-sessions--tf2235928.html#a6394208 Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
