You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Jeremy S <to...@yahoo.com> on 2001/10/11 20:28:33 UTC

Info On Security Please

Hi,

I'm new to this list; and I've been trying to do some research on session id
security.

The main point of my study is what would happen if someone was able to steal
my session id.

Thanks in advance; sorry if this was already discussed before.  I can't seem
to find this topic on my 2 days of research.

js


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Re: Info On Security Please

Posted by Michael Rimov <ri...@centercomp.com>.

At 03:22 PM 10/11/2001 -0700, you wrote:
>This is indeed a good question from the security point of view. I am not sure
>how the <tomcat-user> participants take this generously or consider as
>an out-of-scope issue.

I for one, definitely don't take it as an out of scope issue.

> > Hi,
> >
> > I'm new to this list; and I've been trying to do some research on 
> session id
> > security.
> >
> > The main point of my study is what would happen if someone was able to 
> steal
> > my session id.
> >
> > Thanks in advance; sorry if this was already discussed before.  I can't 
> seem
> > to find this topic on my 2 days of research.

[Developers please correct me if I'm wrong :-) ]

There are a few aspects to this.

Baseline:  If session id cookie is stolen, then the essentially the session 
can be "hijacked".  People can operate within the rights of the person 
logged in whose session cookie they stole.

There ARE ways to make this less of a problem. For example, many forms have 
id numbers with them so forms can't be submitted twice... if they are, then 
the sessions are invalidated and the user is logged off....  this helps the 
problem.

Note: The session cookie usually only lasts for a few minutes, so it's not 
a matter of people compromising an end user's computer, grabbing the cookie 
and replaying it to the server... at that point, a new session is created 
and the person has to log in again.  So basically what has to happen is the 
hijacking has to happen after a person has logged in, and before they 
either log out, or the session expires [20 minute window]

On the flip side, Tomcat DOES provide secure random number generation so 
that people aren't easily able to just brute force the server feeding it 
random session id's until something valid comes up.

Hope this clarifies things.
                                                 -Mike

Re: Info On Security Please

Posted by Pae Choi <pa...@earthlink.net>.

This is indeed a good question from the security point of view. I am not sure
how the <tomcat-user> participants take this generously or consider as
an out-of-scope issue.

If you post this "comp,lang.java.security", would it be more appropriate?
If you do, cc me as well. I am going to promsie that I will spend a chunk of
time with you. But I will take from there.


Pae


> Hi,
> 
> I'm new to this list; and I've been trying to do some research on session id
> security.
> 
> The main point of my study is what would happen if someone was able to steal
> my session id.
> 
> Thanks in advance; sorry if this was already discussed before.  I can't seem
> to find this topic on my 2 days of research.
> 
> js
> 
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>

Re: Info On Security Please

Posted by Rick <rb...@actv.com>.

you may have to ask a more specific question.  I guess if it was url based and
someone sniffed the urls coming from your machine your session could be stolen
easy enough.  Otherwise the session stealer would have to spoof your ip during
your session. not sure if i right though.

rickb

Jeremy S wrote:

> Hi,
>
> I'm new to this list; and I've been trying to do some research on session id
> security.
>
> The main point of my study is what would happen if someone was able to steal
> my session id.
>
> Thanks in advance; sorry if this was already discussed before.  I can't seem
> to find this topic on my 2 days of research.
>
> js
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com

Re: Info On Security Please

Posted by Pae Choi <pa...@earthlink.net>.

+1

Did not know Criag was taking this already :-). And I recommend you
to use both suggested by Craig as a hybrid solution to solve the session
id vulnerabiltiy. Otherwise, it won't solve the possible problem as
addressed. In other word, both SSL "without Randon Number Generator"
and Random Number Ganerator "without SSL" will face the vulnerabilty
problem.


Also, discard my previous posting.


Pae

> 
> 
> On Thu, 11 Oct 2001, Jeremy S wrote:
> 
> > Date: Thu, 11 Oct 2001 11:28:33 -0700
> > From: Jeremy S <to...@yahoo.com>
> > Reply-To: tomcat-user@jakarta.apache.org
> > To: tomcat-user@jakarta.apache.org
> > Subject: Info On Security Please
> >
> > Hi,
> >
> > I'm new to this list; and I've been trying to do some research on session id
> > security.
> >
> > The main point of my study is what would happen if someone was able to steal
> > my session id.
> >
> > Thanks in advance; sorry if this was already discussed before.  I can't seem
> > to find this topic on my 2 days of research.
> >
> 
> Many applications follow a pattern of asking the user to log on with a
> specific username and password, and then record some object in the user's
> session to indicate that they have already logged on successfully.  If I
> know your session id, I can bypass the login screen, and all my actions in
> the app get blamed on you.
> 
> Therefore, there are two major security issues with session ids:
> 
> * You do *not* want malicious folks to be able to snoop your
>   session id and impersonate you.  Note that it doesn't matter
>   whether you are using cookies or URL rewriting -- on the TCP
>   socket the session id is passed in cleartext unless you are
>   running across an SSL connection.
> 
> * You do *not* want it to be possible for someone to predict
>   what future session ids will be created by the servlet container
>   (based on knowing something about the random number generator
>   it is using).
> 
> > js
> >
> 
> Craig
>

Re: Info On Security Please

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Thu, 11 Oct 2001, Jeremy S wrote:

> Date: Thu, 11 Oct 2001 11:28:33 -0700
> From: Jeremy S <to...@yahoo.com>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Info On Security Please
>
> Hi,
>
> I'm new to this list; and I've been trying to do some research on session id
> security.
>
> The main point of my study is what would happen if someone was able to steal
> my session id.
>
> Thanks in advance; sorry if this was already discussed before.  I can't seem
> to find this topic on my 2 days of research.
>

Many applications follow a pattern of asking the user to log on with a
specific username and password, and then record some object in the user's
session to indicate that they have already logged on successfully.  If I
know your session id, I can bypass the login screen, and all my actions in
the app get blamed on you.

Therefore, there are two major security issues with session ids:

* You do *not* want malicious folks to be able to snoop your
  session id and impersonate you.  Note that it doesn't matter
  whether you are using cookies or URL rewriting -- on the TCP
  socket the session id is passed in cleartext unless you are
  running across an SSL connection.

* You do *not* want it to be possible for someone to predict
  what future session ids will be created by the servlet container
  (based on knowing something about the random number generator
  it is using).

> js
>

Craig