You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Todd O'Bryan <to...@mac.com> on 2003/08/17 20:44:54 UTC
Session Security
Is there any block against someone stealing someone else's session id
and using it for nefarious purposes? In other words, if I write a grade
book program, could a sharp student write down the session id from a
web address (if cookies are off) or look in the teacher's cookie file,
and then go to a computer in the library and use the same session id to
connect to the grade book page before the teacher logs out?
Does the session id check itself against the issuing computer's IP
address or anything to prevent such a thing from happening? I realize
it's a stretch that someone might leave their computer unattended long
enough for such a thing to happen, but I just want to be sure. Also,
could someone listening in to the net traffic grab the session id and
then use it?
Thanks,
Todd
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
How To Build mod_jk2 with JNI Support
Posted by Bongrip <to...@echeeba.com>.
I get this error during configure:
need to check for Perl first, apxs depends on it...
checking for perl... /usr/bin/perl
building connector for "apache-2.0"
configure: error: valid apr source dir location required
Here is my configure command:
./configure --with-apxs2=/usr/local/apache2/bin/apxs
--with-tomcat41=/usr/local/jakarta-tomcat-4.1.27
--with-java-home=/usr/local/jakarta-tomcat-4.1.27/j2sdk1.4.2 --with-jni
--with-apache13=no --with-apr=/usr/local/src/httpd-2.0.47/srclib/apr
Any ideas?
Thx,
CC
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
How To Build mod_jk2 with JNI Support
Posted by Bongrip <to...@echeeba.com>.
I get this error during configure:
need to check for Perl first, apxs depends on it...
checking for perl... /usr/bin/perl
building connector for "apache-2.0"
configure: error: valid apr source dir location required
Here is my configure command:
./configure --with-apxs2=/usr/local/apache2/bin/apxs
--with-tomcat41=/usr/local/jakarta-tomcat-4.1.27
--with-java-home=/usr/local/jakarta-tomcat-4.1.27/j2sdk1.4.2 --with-jni
--with-apache13=no --with-apr=/usr/local/src/httpd-2.0.47/srclib/apr
Any ideas?
Thx,
CC
Re: Session Security
Posted by "G. Wade Johnson" <wa...@abbnm.com>.
I would avoid basing security on IP address, in addition to the spoofing
attack already mentioned, some proxy servers and cache engines replace
the source IP address when they pass the request to your server.
Under these circumstances, everyone seems to come from the same IP
address.
As recommended, a good book (or expert) on security is a requirement for
looking at these kinds of problems. There is almost always more to it
than you think.
G. Wade
Sjoerd van Leent wrote:
>
> An easy workaround is to save the client IP-address in the session, and
> look each page if this IP-address is the address the client has. It's
> not waterproof, but it makes it far more difficult (ensure that a good
> router is available)
>
> Sjoerd van Leent
>
> -----Original Message-----
> From: Richard Dunn [mailto:richard.dunn@arkona.com]
> Sent: zondag 17 augustus 2003 21:02
> To: Tomcat Users List
> Subject: Re: Session Security
>
> On Sunday 17 August 2003 12:44, Todd O'Bryan wrote:
> > Is there any block against someone stealing someone else's session id
> > and using it for nefarious purposes? In other words, if I write a
> grade
> > book program, could a sharp student write down the session id from a
> > web address (if cookies are off) or look in the teacher's cookie file,
> > and then go to a computer in the library and use the same session id
> to
> > connect to the grade book page before the teacher logs out?
> >
> > Does the session id check itself against the issuing computer's IP
> > address or anything to prevent such a thing from happening? I realize
> > it's a stretch that someone might leave their computer unattended long
> > enough for such a thing to happen, but I just want to be sure. Also,
> > could someone listening in to the net traffic grab the session id and
> > then use it?
> >
> > Thanks,
> > Todd
>
> I am not a security expert, but if someone with my limited knowledge on
> security can use a tool like tcpdump and do some of what your saying
> (and I
> have), a nefarious type whose primary interest is doing this type of
> thing
> certainly can.
>
> The number of possible exploits are endless, but for a start I would
> suggest
> using SSL to encrypt the login info and data going over the wire. There
> are
> things you can do programatically to check for the computer's IP, but
> this
> can also be spoofed by someone with even a little knowledge.
>
> I would recommend getting a good book on security. There are things you
> can do
> at the system admin level to decrease the chance of a security breach,
> but
> you also have to put the right stuff in your programs. Holes on either
> one
> can negate the other.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Session Security
Posted by "G. Wade Johnson" <wa...@abbnm.com>.
I would avoid basing security on IP address, in addition to the spoofing
attack already mentioned, some proxy servers and cache engines replace
the source IP address when they pass the request to your server.
Under these circumstances, everyone seems to come from the same IP
address.
As recommended, a good book (or expert) on security is a requirement for
looking at these kinds of problems. There is almost always more to it
than you think.
G. Wade
Sjoerd van Leent wrote:
>
> An easy workaround is to save the client IP-address in the session, and
> look each page if this IP-address is the address the client has. It's
> not waterproof, but it makes it far more difficult (ensure that a good
> router is available)
>
> Sjoerd van Leent
>
> -----Original Message-----
> From: Richard Dunn [mailto:richard.dunn@arkona.com]
> Sent: zondag 17 augustus 2003 21:02
> To: Tomcat Users List
> Subject: Re: Session Security
>
> On Sunday 17 August 2003 12:44, Todd O'Bryan wrote:
> > Is there any block against someone stealing someone else's session id
> > and using it for nefarious purposes? In other words, if I write a
> grade
> > book program, could a sharp student write down the session id from a
> > web address (if cookies are off) or look in the teacher's cookie file,
> > and then go to a computer in the library and use the same session id
> to
> > connect to the grade book page before the teacher logs out?
> >
> > Does the session id check itself against the issuing computer's IP
> > address or anything to prevent such a thing from happening? I realize
> > it's a stretch that someone might leave their computer unattended long
> > enough for such a thing to happen, but I just want to be sure. Also,
> > could someone listening in to the net traffic grab the session id and
> > then use it?
> >
> > Thanks,
> > Todd
>
> I am not a security expert, but if someone with my limited knowledge on
> security can use a tool like tcpdump and do some of what your saying
> (and I
> have), a nefarious type whose primary interest is doing this type of
> thing
> certainly can.
>
> The number of possible exploits are endless, but for a start I would
> suggest
> using SSL to encrypt the login info and data going over the wire. There
> are
> things you can do programatically to check for the computer's IP, but
> this
> can also be spoofed by someone with even a little knowledge.
>
> I would recommend getting a good book on security. There are things you
> can do
> at the system admin level to decrease the chance of a security breach,
> but
> you also have to put the right stuff in your programs. Holes on either
> one
> can negate the other.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Session Security
Posted by Sjoerd van Leent <sv...@wanadoo.nl>.
An easy workaround is to save the client IP-address in the session, and
look each page if this IP-address is the address the client has. It's
not waterproof, but it makes it far more difficult (ensure that a good
router is available)
Sjoerd van Leent
-----Original Message-----
From: Richard Dunn [mailto:richard.dunn@arkona.com]
Sent: zondag 17 augustus 2003 21:02
To: Tomcat Users List
Subject: Re: Session Security
On Sunday 17 August 2003 12:44, Todd O'Bryan wrote:
> Is there any block against someone stealing someone else's session id
> and using it for nefarious purposes? In other words, if I write a
grade
> book program, could a sharp student write down the session id from a
> web address (if cookies are off) or look in the teacher's cookie file,
> and then go to a computer in the library and use the same session id
to
> connect to the grade book page before the teacher logs out?
>
> Does the session id check itself against the issuing computer's IP
> address or anything to prevent such a thing from happening? I realize
> it's a stretch that someone might leave their computer unattended long
> enough for such a thing to happen, but I just want to be sure. Also,
> could someone listening in to the net traffic grab the session id and
> then use it?
>
> Thanks,
> Todd
I am not a security expert, but if someone with my limited knowledge on
security can use a tool like tcpdump and do some of what your saying
(and I
have), a nefarious type whose primary interest is doing this type of
thing
certainly can.
The number of possible exploits are endless, but for a start I would
suggest
using SSL to encrypt the login info and data going over the wire. There
are
things you can do programatically to check for the computer's IP, but
this
can also be spoofed by someone with even a little knowledge.
I would recommend getting a good book on security. There are things you
can do
at the system admin level to decrease the chance of a security breach,
but
you also have to put the right stuff in your programs. Holes on either
one
can negate the other.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Session Security
Posted by Sjoerd van Leent <sv...@wanadoo.nl>.
An easy workaround is to save the client IP-address in the session, and
look each page if this IP-address is the address the client has. It's
not waterproof, but it makes it far more difficult (ensure that a good
router is available)
Sjoerd van Leent
-----Original Message-----
From: Richard Dunn [mailto:richard.dunn@arkona.com]
Sent: zondag 17 augustus 2003 21:02
To: Tomcat Users List
Subject: Re: Session Security
On Sunday 17 August 2003 12:44, Todd O'Bryan wrote:
> Is there any block against someone stealing someone else's session id
> and using it for nefarious purposes? In other words, if I write a
grade
> book program, could a sharp student write down the session id from a
> web address (if cookies are off) or look in the teacher's cookie file,
> and then go to a computer in the library and use the same session id
to
> connect to the grade book page before the teacher logs out?
>
> Does the session id check itself against the issuing computer's IP
> address or anything to prevent such a thing from happening? I realize
> it's a stretch that someone might leave their computer unattended long
> enough for such a thing to happen, but I just want to be sure. Also,
> could someone listening in to the net traffic grab the session id and
> then use it?
>
> Thanks,
> Todd
I am not a security expert, but if someone with my limited knowledge on
security can use a tool like tcpdump and do some of what your saying
(and I
have), a nefarious type whose primary interest is doing this type of
thing
certainly can.
The number of possible exploits are endless, but for a start I would
suggest
using SSL to encrypt the login info and data going over the wire. There
are
things you can do programatically to check for the computer's IP, but
this
can also be spoofed by someone with even a little knowledge.
I would recommend getting a good book on security. There are things you
can do
at the system admin level to decrease the chance of a security breach,
but
you also have to put the right stuff in your programs. Holes on either
one
can negate the other.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Session Security
Posted by Richard Dunn <ri...@arkona.com>.
On Sunday 17 August 2003 12:44, Todd O'Bryan wrote:
> Is there any block against someone stealing someone else's session id
> and using it for nefarious purposes? In other words, if I write a grade
> book program, could a sharp student write down the session id from a
> web address (if cookies are off) or look in the teacher's cookie file,
> and then go to a computer in the library and use the same session id to
> connect to the grade book page before the teacher logs out?
>
> Does the session id check itself against the issuing computer's IP
> address or anything to prevent such a thing from happening? I realize
> it's a stretch that someone might leave their computer unattended long
> enough for such a thing to happen, but I just want to be sure. Also,
> could someone listening in to the net traffic grab the session id and
> then use it?
>
> Thanks,
> Todd
I am not a security expert, but if someone with my limited knowledge on
security can use a tool like tcpdump and do some of what your saying (and I
have), a nefarious type whose primary interest is doing this type of thing
certainly can.
The number of possible exploits are endless, but for a start I would suggest
using SSL to encrypt the login info and data going over the wire. There are
things you can do programatically to check for the computer's IP, but this
can also be spoofed by someone with even a little knowledge.
I would recommend getting a good book on security. There are things you can do
at the system admin level to decrease the chance of a security breach, but
you also have to put the right stuff in your programs. Holes on either one
can negate the other.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Session Security
Posted by Richard Dunn <ri...@arkona.com>.
On Sunday 17 August 2003 12:44, Todd O'Bryan wrote:
> Is there any block against someone stealing someone else's session id
> and using it for nefarious purposes? In other words, if I write a grade
> book program, could a sharp student write down the session id from a
> web address (if cookies are off) or look in the teacher's cookie file,
> and then go to a computer in the library and use the same session id to
> connect to the grade book page before the teacher logs out?
>
> Does the session id check itself against the issuing computer's IP
> address or anything to prevent such a thing from happening? I realize
> it's a stretch that someone might leave their computer unattended long
> enough for such a thing to happen, but I just want to be sure. Also,
> could someone listening in to the net traffic grab the session id and
> then use it?
>
> Thanks,
> Todd
I am not a security expert, but if someone with my limited knowledge on
security can use a tool like tcpdump and do some of what your saying (and I
have), a nefarious type whose primary interest is doing this type of thing
certainly can.
The number of possible exploits are endless, but for a start I would suggest
using SSL to encrypt the login info and data going over the wire. There are
things you can do programatically to check for the computer's IP, but this
can also be spoofed by someone with even a little knowledge.
I would recommend getting a good book on security. There are things you can do
at the system admin level to decrease the chance of a security breach, but
you also have to put the right stuff in your programs. Holes on either one
can negate the other.
Re: Session Security
Posted by "G. Wade Johnson" <wa...@abbnm.com>.
In a previous life, I used a similar technique and was defeated when
the network guys put a cache engine in front of our servers. Then, all
requests came from the same IP address. This sort of thing can happen
based on other priorities in the organization and break your best
solutions.
The main thing with security is to determine who the threat is and how
difficult you want to make bypassing your security. In many cases, the
added expense (in time and money) is not worth the slim chance that
you are trying to eliminate. I don't know if that is the case for you,
but it's worth some review before trying to build a security system.
For the most bang for the buck, only allow access to the admin portions
through SSL. This encrypts the cookie along with the rest of the
request. The only thing you'd have left to worry about is physical
security of the system.
G. Wade
Sjoerd van Leent wrote:
>
> Here is a question to do the same without cookies, so storing something
> in a cookie just won't work at al. I know that an IP address is not the
> best solution at all, but when you're using an internal network, it will
> work. I agree that using an IP address is by far not the best solution,
> but the odds are low...
>
> Sjoerd
>
> -----Original Message-----
> From: Mike Cherichetti (Renegade Internet)
> [mailto:mike@renegadeinternet.com]
> Sent: zondag 17 augustus 2003 22:29
> To: Tomcat Users List
> Subject: RE: Session Security
>
> Todd,
>
> Putting the IP address of the user in the session won't work too well.
> An
> AOL user for example may have a different IP address every time they
> send in
> a request. And, it's obviously possible for someone to spoof an IP
> address.
>
> The best solution I've found to prevent sessions from being stolen is to
> use
> a one time access token. The token, which I usually create by doing
> MD5(ip
> + timestamp + random #), gets stored in a cookie and in the session
> itself.
> So, say a user logs in, they get a token and when they come back with
> their
> next request they send in that token. Your authentication logic checks
> the
> token in the cookie against the token in the session and handles
> accepting
> or denying the request. When the response is processed, you give them a
> new
> token and continue this cycle for all requests to follow.
>
> Now, lets say someone manages to steal the session. That person is
> going to
> get a different token than the legitimate user that's logged in
> currently
> has. So, when the legitimate user sends in their next request with a
> wrong
> token, you should catch that the session has been compromised and
> invalidate
> it immediately. This will result in the malicious user being kicked
> out.
>
> Still, this isn't a perfect solution because most users forget to
> logout.
> Using a low timeout value for the session is the only way I know of to
> deal
> with this scenario. You could run your application under HTTPS instead
> of
> HTTP too if that's an option :)
>
> Hope that helps,
> Mike
>
> -----Original Message-----
> From: Todd O'Bryan [mailto:toddobryan@mac.com]
> Sent: Sunday, August 17, 2003 2:45 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Session Security
>
> Is there any block against someone stealing someone else's session id
> and using it for nefarious purposes? In other words, if I write a grade
> book program, could a sharp student write down the session id from a
> web address (if cookies are off) or look in the teacher's cookie file,
> and then go to a computer in the library and use the same session id to
> connect to the grade book page before the teacher logs out?
>
> Does the session id check itself against the issuing computer's IP
> address or anything to prevent such a thing from happening? I realize
> it's a stretch that someone might leave their computer unattended long
> enough for such a thing to happen, but I just want to be sure. Also,
> could someone listening in to the net traffic grab the session id and
> then use it?
>
> Thanks,
> Todd
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Session Security
Posted by "G. Wade Johnson" <wa...@abbnm.com>.
In a previous life, I used a similar technique and was defeated when
the network guys put a cache engine in front of our servers. Then, all
requests came from the same IP address. This sort of thing can happen
based on other priorities in the organization and break your best
solutions.
The main thing with security is to determine who the threat is and how
difficult you want to make bypassing your security. In many cases, the
added expense (in time and money) is not worth the slim chance that
you are trying to eliminate. I don't know if that is the case for you,
but it's worth some review before trying to build a security system.
For the most bang for the buck, only allow access to the admin portions
through SSL. This encrypts the cookie along with the rest of the
request. The only thing you'd have left to worry about is physical
security of the system.
G. Wade
Sjoerd van Leent wrote:
>
> Here is a question to do the same without cookies, so storing something
> in a cookie just won't work at al. I know that an IP address is not the
> best solution at all, but when you're using an internal network, it will
> work. I agree that using an IP address is by far not the best solution,
> but the odds are low...
>
> Sjoerd
>
> -----Original Message-----
> From: Mike Cherichetti (Renegade Internet)
> [mailto:mike@renegadeinternet.com]
> Sent: zondag 17 augustus 2003 22:29
> To: Tomcat Users List
> Subject: RE: Session Security
>
> Todd,
>
> Putting the IP address of the user in the session won't work too well.
> An
> AOL user for example may have a different IP address every time they
> send in
> a request. And, it's obviously possible for someone to spoof an IP
> address.
>
> The best solution I've found to prevent sessions from being stolen is to
> use
> a one time access token. The token, which I usually create by doing
> MD5(ip
> + timestamp + random #), gets stored in a cookie and in the session
> itself.
> So, say a user logs in, they get a token and when they come back with
> their
> next request they send in that token. Your authentication logic checks
> the
> token in the cookie against the token in the session and handles
> accepting
> or denying the request. When the response is processed, you give them a
> new
> token and continue this cycle for all requests to follow.
>
> Now, lets say someone manages to steal the session. That person is
> going to
> get a different token than the legitimate user that's logged in
> currently
> has. So, when the legitimate user sends in their next request with a
> wrong
> token, you should catch that the session has been compromised and
> invalidate
> it immediately. This will result in the malicious user being kicked
> out.
>
> Still, this isn't a perfect solution because most users forget to
> logout.
> Using a low timeout value for the session is the only way I know of to
> deal
> with this scenario. You could run your application under HTTPS instead
> of
> HTTP too if that's an option :)
>
> Hope that helps,
> Mike
>
> -----Original Message-----
> From: Todd O'Bryan [mailto:toddobryan@mac.com]
> Sent: Sunday, August 17, 2003 2:45 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Session Security
>
> Is there any block against someone stealing someone else's session id
> and using it for nefarious purposes? In other words, if I write a grade
> book program, could a sharp student write down the session id from a
> web address (if cookies are off) or look in the teacher's cookie file,
> and then go to a computer in the library and use the same session id to
> connect to the grade book page before the teacher logs out?
>
> Does the session id check itself against the issuing computer's IP
> address or anything to prevent such a thing from happening? I realize
> it's a stretch that someone might leave their computer unattended long
> enough for such a thing to happen, but I just want to be sure. Also,
> could someone listening in to the net traffic grab the session id and
> then use it?
>
> Thanks,
> Todd
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Session Security
Posted by Sjoerd van Leent <sv...@wanadoo.nl>.
Here is a question to do the same without cookies, so storing something
in a cookie just won't work at al. I know that an IP address is not the
best solution at all, but when you're using an internal network, it will
work. I agree that using an IP address is by far not the best solution,
but the odds are low...
Sjoerd
-----Original Message-----
From: Mike Cherichetti (Renegade Internet)
[mailto:mike@renegadeinternet.com]
Sent: zondag 17 augustus 2003 22:29
To: Tomcat Users List
Subject: RE: Session Security
Todd,
Putting the IP address of the user in the session won't work too well.
An
AOL user for example may have a different IP address every time they
send in
a request. And, it's obviously possible for someone to spoof an IP
address.
The best solution I've found to prevent sessions from being stolen is to
use
a one time access token. The token, which I usually create by doing
MD5(ip
+ timestamp + random #), gets stored in a cookie and in the session
itself.
So, say a user logs in, they get a token and when they come back with
their
next request they send in that token. Your authentication logic checks
the
token in the cookie against the token in the session and handles
accepting
or denying the request. When the response is processed, you give them a
new
token and continue this cycle for all requests to follow.
Now, lets say someone manages to steal the session. That person is
going to
get a different token than the legitimate user that's logged in
currently
has. So, when the legitimate user sends in their next request with a
wrong
token, you should catch that the session has been compromised and
invalidate
it immediately. This will result in the malicious user being kicked
out.
Still, this isn't a perfect solution because most users forget to
logout.
Using a low timeout value for the session is the only way I know of to
deal
with this scenario. You could run your application under HTTPS instead
of
HTTP too if that's an option :)
Hope that helps,
Mike
-----Original Message-----
From: Todd O'Bryan [mailto:toddobryan@mac.com]
Sent: Sunday, August 17, 2003 2:45 PM
To: tomcat-user@jakarta.apache.org
Subject: Session Security
Is there any block against someone stealing someone else's session id
and using it for nefarious purposes? In other words, if I write a grade
book program, could a sharp student write down the session id from a
web address (if cookies are off) or look in the teacher's cookie file,
and then go to a computer in the library and use the same session id to
connect to the grade book page before the teacher logs out?
Does the session id check itself against the issuing computer's IP
address or anything to prevent such a thing from happening? I realize
it's a stretch that someone might leave their computer unattended long
enough for such a thing to happen, but I just want to be sure. Also,
could someone listening in to the net traffic grab the session id and
then use it?
Thanks,
Todd
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Session Security
Posted by Sjoerd van Leent <sv...@wanadoo.nl>.
Here is a question to do the same without cookies, so storing something
in a cookie just won't work at al. I know that an IP address is not the
best solution at all, but when you're using an internal network, it will
work. I agree that using an IP address is by far not the best solution,
but the odds are low...
Sjoerd
-----Original Message-----
From: Mike Cherichetti (Renegade Internet)
[mailto:mike@renegadeinternet.com]
Sent: zondag 17 augustus 2003 22:29
To: Tomcat Users List
Subject: RE: Session Security
Todd,
Putting the IP address of the user in the session won't work too well.
An
AOL user for example may have a different IP address every time they
send in
a request. And, it's obviously possible for someone to spoof an IP
address.
The best solution I've found to prevent sessions from being stolen is to
use
a one time access token. The token, which I usually create by doing
MD5(ip
+ timestamp + random #), gets stored in a cookie and in the session
itself.
So, say a user logs in, they get a token and when they come back with
their
next request they send in that token. Your authentication logic checks
the
token in the cookie against the token in the session and handles
accepting
or denying the request. When the response is processed, you give them a
new
token and continue this cycle for all requests to follow.
Now, lets say someone manages to steal the session. That person is
going to
get a different token than the legitimate user that's logged in
currently
has. So, when the legitimate user sends in their next request with a
wrong
token, you should catch that the session has been compromised and
invalidate
it immediately. This will result in the malicious user being kicked
out.
Still, this isn't a perfect solution because most users forget to
logout.
Using a low timeout value for the session is the only way I know of to
deal
with this scenario. You could run your application under HTTPS instead
of
HTTP too if that's an option :)
Hope that helps,
Mike
-----Original Message-----
From: Todd O'Bryan [mailto:toddobryan@mac.com]
Sent: Sunday, August 17, 2003 2:45 PM
To: tomcat-user@jakarta.apache.org
Subject: Session Security
Is there any block against someone stealing someone else's session id
and using it for nefarious purposes? In other words, if I write a grade
book program, could a sharp student write down the session id from a
web address (if cookies are off) or look in the teacher's cookie file,
and then go to a computer in the library and use the same session id to
connect to the grade book page before the teacher logs out?
Does the session id check itself against the issuing computer's IP
address or anything to prevent such a thing from happening? I realize
it's a stretch that someone might leave their computer unattended long
enough for such a thing to happen, but I just want to be sure. Also,
could someone listening in to the net traffic grab the session id and
then use it?
Thanks,
Todd
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Session Security
Posted by "Mike Cherichetti (Renegade Internet)" <mi...@renegadeinternet.com>.
Todd,
Putting the IP address of the user in the session won't work too well. An
AOL user for example may have a different IP address every time they send in
a request. And, it's obviously possible for someone to spoof an IP
address.
The best solution I've found to prevent sessions from being stolen is to use
a one time access token. The token, which I usually create by doing MD5(ip
+ timestamp + random #), gets stored in a cookie and in the session itself.
So, say a user logs in, they get a token and when they come back with their
next request they send in that token. Your authentication logic checks the
token in the cookie against the token in the session and handles accepting
or denying the request. When the response is processed, you give them a new
token and continue this cycle for all requests to follow.
Now, lets say someone manages to steal the session. That person is going to
get a different token than the legitimate user that's logged in currently
has. So, when the legitimate user sends in their next request with a wrong
token, you should catch that the session has been compromised and invalidate
it immediately. This will result in the malicious user being kicked out.
Still, this isn't a perfect solution because most users forget to logout.
Using a low timeout value for the session is the only way I know of to deal
with this scenario. You could run your application under HTTPS instead of
HTTP too if that's an option :)
Hope that helps,
Mike
-----Original Message-----
From: Todd O'Bryan [mailto:toddobryan@mac.com]
Sent: Sunday, August 17, 2003 2:45 PM
To: tomcat-user@jakarta.apache.org
Subject: Session Security
Is there any block against someone stealing someone else's session id
and using it for nefarious purposes? In other words, if I write a grade
book program, could a sharp student write down the session id from a
web address (if cookies are off) or look in the teacher's cookie file,
and then go to a computer in the library and use the same session id to
connect to the grade book page before the teacher logs out?
Does the session id check itself against the issuing computer's IP
address or anything to prevent such a thing from happening? I realize
it's a stretch that someone might leave their computer unattended long
enough for such a thing to happen, but I just want to be sure. Also,
could someone listening in to the net traffic grab the session id and
then use it?
Thanks,
Todd
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Session Security
Posted by "Mike Cherichetti (Renegade Internet)" <mi...@renegadeinternet.com>.
Todd,
Putting the IP address of the user in the session won't work too well. An
AOL user for example may have a different IP address every time they send in
a request. And, it's obviously possible for someone to spoof an IP
address.
The best solution I've found to prevent sessions from being stolen is to use
a one time access token. The token, which I usually create by doing MD5(ip
+ timestamp + random #), gets stored in a cookie and in the session itself.
So, say a user logs in, they get a token and when they come back with their
next request they send in that token. Your authentication logic checks the
token in the cookie against the token in the session and handles accepting
or denying the request. When the response is processed, you give them a new
token and continue this cycle for all requests to follow.
Now, lets say someone manages to steal the session. That person is going to
get a different token than the legitimate user that's logged in currently
has. So, when the legitimate user sends in their next request with a wrong
token, you should catch that the session has been compromised and invalidate
it immediately. This will result in the malicious user being kicked out.
Still, this isn't a perfect solution because most users forget to logout.
Using a low timeout value for the session is the only way I know of to deal
with this scenario. You could run your application under HTTPS instead of
HTTP too if that's an option :)
Hope that helps,
Mike
-----Original Message-----
From: Todd O'Bryan [mailto:toddobryan@mac.com]
Sent: Sunday, August 17, 2003 2:45 PM
To: tomcat-user@jakarta.apache.org
Subject: Session Security
Is there any block against someone stealing someone else's session id
and using it for nefarious purposes? In other words, if I write a grade
book program, could a sharp student write down the session id from a
web address (if cookies are off) or look in the teacher's cookie file,
and then go to a computer in the library and use the same session id to
connect to the grade book page before the teacher logs out?
Does the session id check itself against the issuing computer's IP
address or anything to prevent such a thing from happening? I realize
it's a stretch that someone might leave their computer unattended long
enough for such a thing to happen, but I just want to be sure. Also,
could someone listening in to the net traffic grab the session id and
then use it?
Thanks,
Todd
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Session Security
Posted by Mike Curwen <gb...@gb-im.com>.
> Also, could someone listening in to the net traffic grab the session
> id and then use it?
>
> Thanks,
> Todd
>
Better yet, if you're not using SSL, they can grab the plaintext HTML
that goes back and forth between teacher and server. They see
everything the teacher sees.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Session Security
Posted by Mike Curwen <gb...@gb-im.com>.
> Also, could someone listening in to the net traffic grab the session
> id and then use it?
>
> Thanks,
> Todd
>
Better yet, if you're not using SSL, they can grab the plaintext HTML
that goes back and forth between teacher and server. They see
everything the teacher sees.