Thanks! It was as easy as Googling the subject, but I didn't know what was exactly the name of it.
> -----Original Message----- > From: Ken Bowen [mailto:kbo...@als.com] > Sent: Sunday, October 10, 2010 05:52 PM > To: Tomcat Users List > Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29? > > Google "session fixation" --> http://en.wikipedia.org/wiki/Session_fixation > > On Oct 10, 2010, at 6:24 PM, Brian wrote: > > > Mark, > > > > I'm not using either "basic" or "form". I developed my own solution, > > which works great for me. > > Assuming that the "session fixation" is my problem, what would you > > suggest me to do? Is there any web page on the internet that explains the > issue? > > > > > > > >> -----Original Message----- > >> From: Mark Thomas [mailto:ma...@apache.org] > >> Sent: Sunday, October 10, 2010 03:09 PM > >> To: Tomcat Users List > >> Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29? > >> > >> On 10/10/2010 20:59, Brian wrote: > >>> Hi Mark, > >>> > >>> Do you understand exactly what vulnerability are they talking about? > >> > >> No. It doesn't make much sense to me at the minute. I'd ask for more > > specific > >> information. > >> > >>> For > >>> some reason, they have determined that I have it, even though I'm > >>> not using Jrun but they wrongly assume I am. > >> > >> Looks like it so far. It all depends how they are detecting the > > vulnerability. It > >> could be a false positive but there isn't enough information to tell. > >> > >>> What do you mean exactly with "app managing its own authentication"? > >>> Sorry if it is a dumb question. > >> > >> If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat > >> will > > change > >> the session ID on authentication and therefore protect against > >> session > > fixation. > >> > >> If the app has its own authentication mechanism it is possible that > >> the > > session ID > >> will not be changed on authentication creating the possibility for a > > session > >> fixation attack. > >> > >>> I found this on Google, and now that I read it I realize they are > >>> quoting you! :-) > >>> http://www.developer.com/java/web/article.php/3904871/Top-7- > Features > >>> -i > >>> n-Tomc > >>> at-7-The-New-and-the-Improved.htm > >>> Is this the same subject? > >> > >> Yep, although that is looking at Tomcat 7. The session fixation > >> protection > > (along > >> with a handle of other things originally developed for Tomcat 7) got > > back-ported > >> to Tomcat 6. > >> > >> Mark > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
