You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2010/03/15 09:05:47 UTC
DO NOT REPLY [Bug 48913] New: Request.changeSessionId adds a second
Set-Cookie JSESSIONID
https://issues.apache.org/bugzilla/show_bug.cgi?id=48913
Summary: Request.changeSessionId adds a second Set-Cookie
JSESSIONID
Product: Tomcat 6
Version: 6.0.24
Platform: All
OS/Version: All
Status: NEW
Severity: regression
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: stephan.zlatarev@yahoo.com
The protection mechanism against session fixation attacks available in Tomcat
6.0.24 has the problem that if a Valve or a custom Authenticator implementation
enforces creation of an HTTP session for a request and the JSESSIONID is
created before the authenticator registers the session and it is required to
change the session id (which is the default behavior) then instead of changing
the session id a second one is issued and both are sent to the user agent.
Here is the details on how I encounter the problem:
During authentication my Authenticator implementation requires access to the
HTTP session before it invokes method register(request, response, principal,
authType, username, password). When it accesses the HTTP session the Response
is instructed to send Set-Cookie with a newly generated JSESSIONID and
immediately after that - as part of the register method invocation - the
Request is instructed to change the JSESSIONID. The problem is that
Request.changeSessionId does not check whether the response is already
instructed to issue a Set-Cookie header for the session ID and simply adds a
second cookie to be sent to the browser. The HTTP response contains two
Set-Cookie headers for JSESSIONID with different values, where the second is
the newest one. As MS IE uses the first cookie it receives it is
not able to connect to the session with next requests.
Can you confirm this is not the intended behavior and let me know when this
problem can be corrected?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48913] Request.changeSessionId adds a second
Set-Cookie JSESSIONID
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48913
--- Comment #1 from Mark Thomas <ma...@apache.org> 2010-03-30 21:59:05 UTC ---
I can confirm that the current implementation does not expect other components
to force the creation of a session earlier in the pipeline.
This looks to be fixable but I'm worried about the overhead that will be
associated with the fix. My performance concerns may be unfounded but if you
were able to find an alternative solution (eg not requiring the session to be
created in your custom authenticator) then that might be a better overall
solution.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48913] Request.changeSessionId adds a second
Set-Cookie JSESSIONID
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48913
Filip Hanik <fh...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |DUPLICATE
--- Comment #4 from Filip Hanik <fh...@apache.org> 2010-04-20 13:17:04 EDT ---
*** This bug has been marked as a duplicate of bug 49158 ***
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48913] Request.changeSessionId adds a second
Set-Cookie JSESSIONID
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48913
--- Comment #2 from Mark Thomas <ma...@apache.org> 2010-03-30 23:06:18 UTC ---
Created an attachment (id=25219)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=25219)
Proposed patch to remove previously set session cookies
I haven't applied the attached patch to trunk. I'd appreciate some feedback
onthe patch before I do.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48913] Request.changeSessionId adds a second
Set-Cookie JSESSIONID
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48913
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fhanik@apache.org
--- Comment #3 from Mark Thomas <ma...@apache.org> 2010-04-20 13:12:35 EDT ---
*** Bug 49158 has been marked as a duplicate of this bug. ***
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org