PATCH: Session ID from URL; would like some input!

Tue, 13 Oct 2009 02:28:32 -0700 

Hello list!
First of all, this maybe better suited for the dev list, but a quick peek only showed svn log mails etc soo.. Sending here instead, let me know if its wrong! 


We're having a problem related to Tomcat, in a pretty unusual  
scenario. Basicly the problem is with old expired sessions, and  
reading session ID from URL instead of cookie.
An example, in our case browser A is a main browser, and browser B is  
a slave "browser" (actually only a webkit rendering engine) which we  
only call with an URL to show a specific page, and we do not have  
control over cookies in browser B.


1. Browser A goes to our site, gets a new session, authenticates etc.

2. Browser A spawns browser B with url http://example.com/someresource;jsessionid= 
<the session ID from browser A's cookie>
3. Browser B loads the page, no session cookie provided since its  
freshly started, and gets the correct session.



Now, lets say both browsers are idle for  awhile, enough for the  
session to timeout



1. Browser A does some activity again, noticing that he got a new  
JSESSIONID cookie and re-authenticates in the new session.

2. Browser A spawns browser B with an url containing the new jsessionid

3 (this is where the problem is). Browser B loads the page, this time  
with its old jsessionid cookie, and also the new jsessionid on the URL.



So, browser B sends both the old session ID in the cookie (which is an  
expired session), and the new sessionid on the URL. This confuses  
tomcat.
In catalina/connector/Request.java and CoyoteAdaptor, we first check  
for a sessino ID on the URL, store it in Request, and then we check  
for  a cookie, and if we got one, we just overwrite the session ID  
from the URL.


My solution? The attached patch!

Now, what I'd like to know, can anyone of you developers see any nasty  
side effects that I might have missed about this?



One thing that was concerned about was that it would introduce session  
hijacking risks, but the only difference is that the evildoer have to  
erase his (already expired) cookie.. Normal tomcat accepts jsessionid  
on URL anyway, as long as there is no cookie, so that should not be a  
security concern..


Well, thanks for any ideas and input, and for Tomcat ofcourse!

Best regards

Johan Ström
Headweb AB





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





















					Reply via email to