You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2006/12/20 14:13:28 UTC
DO NOT REPLY [Bug 41217] New: - SingleSignOn Cookie does not honor https access: Login Information Disclosure
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41217>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41217
Summary: SingleSignOn Cookie does not honor https access: Login
Information Disclosure
Product: Tomcat 5
Version: 5.5.20
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: asf-bugzilla-2006@abstrakt.de
When using the SingleSignOn Valve
(org.apache.catalina.authenticator.SingleSignOn) via https the Cookie
JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it
being transmitted to any content that is - by purpose or error - requested via
http from the same server.
As the content of the SSO-Cookie is confidential (it will lead to automatically
logged in sessions in other contexts - https or non-https) this should never happen.
Sorry to have no patch. I've not installed the complete source distribution in
my development environment, but it seems the points to change are
org.apache.catalina.authenticator.AuthenticatorBase.register(...), the code of
interest being (from 5.5.30 source distribution)
Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, ssoId);
cookie.setMaxAge(-1);
cookie.setPath("/");
hres.addCookie(cookie);
As hres is an org.apache.catalina.HttpRequest, and I've looked through the code
to find org.apache.catalina.Request.setSecure() but no ...isSecure() (though
this is mentioned in the Javadoc for ...setSecure()) I suppose there needs to be
another change to provide isSecure on Request or HttpRequest, but this is
difficult to tell only from the editor.
If isSecure() was there, there'd be a
cookie.setSecure(hres.isSecure())
missing in the statements above...
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 41217] - SingleSignOn Cookie does not honor https access: Login Information Disclosure
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41217>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41217
markt@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From markt@apache.org 2007-01-13 19:19 -------
This has been fixed in svn. Many thanks for the patch. The fix will be in 5.5.21
onwards.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 41217] - SingleSignOn Cookie does not honor https access: Login Information Disclosure
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41217>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41217
------- Additional Comments From chris@sourcelabs.com 2007-01-11 17:15 -------
Created an attachment (id=19397)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=19397&action=view)
Patch to set secure flag on SSO cookie when requested over https
There is an isSecure() method available in the Request object used by
AuthenticatorBase...not sure why you couldn't find it. Attaching a patch that
sets the secure flag on the SSO cookie when accessed via https.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 41217] - SingleSignOn Cookie does not honor https access: Login Information Disclosure
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41217>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41217
------- Additional Comments From asf-bugzilla-2006@abstrakt.de 2007-01-22 02:03 -------
Thanks for the fix - I believe I did not see the Request method because I had no
IDE environment ready for tomcat source and just browsed through the source in a
simple text editor - it's a lot easier to miss methods there.
Olaf
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org