Mark, I'm not using either "basic" or "form". I developed my own solution, which works great for me. Assuming that the "session fixation" is my problem, what would you suggest me to do? Is there any web page on the internet that explains the issue?
> -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Sunday, October 10, 2010 03:09 PM > To: Tomcat Users List > Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29? > > On 10/10/2010 20:59, Brian wrote: > > Hi Mark, > > > > Do you understand exactly what vulnerability are they talking about? > > No. It doesn't make much sense to me at the minute. I'd ask for more specific > information. > > > For > > some reason, they have determined that I have it, even though I'm not > > using Jrun but they wrongly assume I am. > > Looks like it so far. It all depends how they are detecting the vulnerability. It > could be a false positive but there isn't enough information to tell. > > > What do you mean exactly with "app managing its own authentication"? > > Sorry if it is a dumb question. > > If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat will change > the session ID on authentication and therefore protect against session fixation. > > If the app has its own authentication mechanism it is possible that the session ID > will not be changed on authentication creating the possibility for a session > fixation attack. > > > I found this on Google, and now that I read it I realize they are > > quoting you! :-) > > http://www.developer.com/java/web/article.php/3904871/Top-7-Features-i > > n-Tomc > > at-7-The-New-and-the-Improved.htm > > Is this the same subject? > > Yep, although that is looking at Tomcat 7. The session fixation protection (along > with a handle of other things originally developed for Tomcat 7) got back-ported > to Tomcat 6. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
