[Security Issue] Sessions are visible across multiple clients

["Amrhein, Thomas" <Th...@t-systems.de>]

Hi all,

one session can be visible on multiple clients!!

THIS IS A BIG SECURITY PROBLEM!

Someone opens his webbrowser and has the session of somebody else.
So critical data could be viewed without permission.
Somebody can act as somebody else.

What's wrong with tomcat's session-handling?

I wrote a web application which can reproduce this.

I'm working with Tomcat 3.3m1 on WinNT4. 
On 3.2 I have the same problems sometimes with our application
but it is not reproducable there.

To reproduce this:
- put sessiontest.war in %TOMCAT_HOME%/webapps/
- start Tomcat
- open browser1 (Netscape 4.7 or IE5) on machine1 (close it before if it's
already open)
- locate browser1 on http://yourtomcat/sessiontest/index.jsp (a cookie will
be set)
- browser1: login with name for example 'Testuser1'
- browser1: show settings (The name is displayed)
- open browser2 on machine2 (close it before if it's already open)
- locate browser2 on http://yourtomcat/sessiontest/index.jsp (a cookie will
be set)

Browser2 now sees the same content like browser1 (logged in as Testuser1).
Look for the sourcecode in the .war. All objects are session-bound.
Normally you should not be logged in.
Remember that you are on different machines! They should have different
cookies, different
sessions, different usernames.
Sometimes but not often, they have the same Session-ID (I can not reproduce
this).

Bug #723: sessions are not properly recycled
Perhaps my issue belongs to this.

I've seen different bugs reported but not solved belonging to
session-handling.
#131,152,183,189,267,429,723,731

Can somebody reproduce this behaviour somewhere else?
And can this behaviour also happen in Tomcat 3.2/3.2.1 (I don't know the
code)?

regards,

Thomas

PS: I'm new to tomcat-dev-mailinglist (two or three hours) to stay tuned.
Perhaps it's already discussed and patched. Please inform me.