You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2020/01/29 11:52:54 UTC
[Bug 64104] New: Double login forced by change session id on
authentication mechanism
https://bz.apache.org/bugzilla/show_bug.cgi?id=64104
Bug ID: 64104
Summary: Double login forced by change session id on
authentication mechanism
Product: Tomcat 8
Version: 8.5.50
Hardware: PC
Status: NEW
Severity: minor
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: goyocasero@gmail.com
Target Milestone: ----
Hi all.
We're maintaining an spring application served by an Apache Tomcat server which
login page has started to behave a little bit weird after upgrading from
version 8.5.43 to 8.5.50.
When we're making the login posting to j_security_check, the FormAuthenticator
is checking that changeSessionIdOnAuthentication is set on true and, so, it's
checking that the required session id hasn't changed.
The problem is that in the code it's considering that the id has changed even
if there's no previous sessionId registered as a note inside the internal
session. That's the code snippet:
if (session != null && getChangeSessionIdOnAuthentication()) {
// Does session id match?
String expectedSessionId = (String)
session.getNote(Constants.SESSION_ID_NOTE);
if (expectedSessionId == null ||
!expectedSessionId.equals(request.getRequestedSessionId())) {
session.expire();
session = null;
}
}
Looking at the code documentation, when documenting the
changeSessionIdOnAuthentication variable, the comments states that "Should the
session ID, if any, be changed upon a successful authentication to prevent a
session fixation attack?". IMHO, thats "if any" should means that the previous
condition should be expressed as: if (expectedSessionId != null &&
!expectedSessionId.equals(request.getRequestedSessionId()))
shouldn't it?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 64104] Double login forced by change session id on
authentication mechanism
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64104
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED
--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net> ---
This is a topic for the users' list.
(In reply to Goyo from comment #0)
> IMHO, thats "if any" should means that
> the previous condition should be expressed as: if (expectedSessionId !=
> null && !expectedSessionId.equals(request.getRequestedSessionId()))
>
> shouldn't it?
No. If there is no expected session id, then it should be expired. Your code
would change the logic to "only expire if there was an expected session id AND
it did not match". So non-matching session ids (expected != requested) would
still be allowed, which is incorrect behavior.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 64104] Double login forced by change session id on
authentication mechanism
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64104
Goyo <go...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org