Question related to Session management in Tomcat !

[Utkarsh Dave <ut...@gmail.com>]

Hello,

I need inputs/answers on below points to implement a secure session
management application
Or if there is there any configuration that may need to be tuned to improve
below please point me to that
A)
Are Session IDs cryptographically strong and do not reveal sensitive
information so that they can't be guessed easily or used to find attack
vectors.
Does we meet below
1. Does Strong entropy sources being used to generate the session ID value
2. Does Strong cryptographic algorithms being used to generate the session
ID value
3. Does the session ID value provides at least 128 bits of entropy.
4. Is the session ID value meaningless to prevent information disclosure
attacks, allowing recovery of the contents of the ID and extract details of
the user, the session, or the inner workings of the web application.

B)
Are the Session IDs fully validated before they may be used.
When using session ID to keep authentication state and track user progress
within a web application, the application MUST treat the session ID as
untrusted data,
and sanitize and validate it before use.

Thanks a lot for your time.

Utkarsh Dave

Re: Question related to Session management in Tomcat !

[Christopher Schultz <ch...@christopherschultz.net>]

Utkarsh,

On 11/25/15 6:29 AM, Utkarsh Dave wrote:
> Thank You Mark
> 
> On Wed, Nov 25, 2015 at 4:39 PM, Mark Thomas <ma...@apache.org> wrote:
> 
>> On 25/11/2015 10:50, Utkarsh Dave wrote:
>>> Hello,
>>>
>>> I need inputs/answers on below points to implement a secure session
>>> management application
>>> Or if there is there any configuration that may need to be tuned to
>> improve
>>> below please point me to that
>>> A)
>>> Are Session IDs cryptographically strong and do not reveal sensitive
>>> information so that they can't be guessed easily or used to find attack
>>> vectors.
>>> Does we meet below
>>> 1. Does Strong entropy sources being used to generate the session ID
>> value
>>
>> Yes, it uses java.security.SecureRandom by default.
>>
>>> 2. Does Strong cryptographic algorithms being used to generate the
>> session
>>> ID value
>>
>> Yes, SHA1PRNG by default.
>>
>>> 3. Does the session ID value provides at least 128 bits of entropy.
>>
>> Yes, the session ID is 16 bytes / 128 bits long by default.
>>
>>> 4. Is the session ID value meaningless to prevent information disclosure
>>> attacks, allowing recovery of the contents of the ID and extract details
>> of
>>> the user, the session, or the inner workings of the web application.
>>
>> Yes.
>>
>>> B)
>>> Are the Session IDs fully validated before they may be used.
>>> When using session ID to keep authentication state and track user
>> progress
>>> within a web application, the application MUST treat the session ID as
>>> untrusted data,
>>> and sanitize and validate it before use.
>>
>> Yes.
>>
>> As with most things in Tomcat, configuration provides a lot of control
>> over session ID generation but the default settings meet the
>> requirements you set out above.
>>
>> Mark

Good luck on your checkbox-based security audit!

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Question related to Session management in Tomcat !

[Utkarsh Dave <ut...@gmail.com>]

Thank You Mark

On Wed, Nov 25, 2015 at 4:39 PM, Mark Thomas <ma...@apache.org> wrote:

> On 25/11/2015 10:50, Utkarsh Dave wrote:
> > Hello,
> >
> > I need inputs/answers on below points to implement a secure session
> > management application
> > Or if there is there any configuration that may need to be tuned to
> improve
> > below please point me to that
> > A)
> > Are Session IDs cryptographically strong and do not reveal sensitive
> > information so that they can't be guessed easily or used to find attack
> > vectors.
> > Does we meet below
> > 1. Does Strong entropy sources being used to generate the session ID
> value
>
> Yes, it uses java.security.SecureRandom by default.
>
> > 2. Does Strong cryptographic algorithms being used to generate the
> session
> > ID value
>
> Yes, SHA1PRNG by default.
>
> > 3. Does the session ID value provides at least 128 bits of entropy.
>
> Yes, the session ID is 16 bytes / 128 bits long by default.
>
> > 4. Is the session ID value meaningless to prevent information disclosure
> > attacks, allowing recovery of the contents of the ID and extract details
> of
> > the user, the session, or the inner workings of the web application.
>
> Yes.
>
> > B)
> > Are the Session IDs fully validated before they may be used.
> > When using session ID to keep authentication state and track user
> progress
> > within a web application, the application MUST treat the session ID as
> > untrusted data,
> > and sanitize and validate it before use.
>
> Yes.
>
> As with most things in Tomcat, configuration provides a lot of control
> over session ID generation but the default settings meet the
> requirements you set out above.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Question related to Session management in Tomcat !

[Mark Thomas <ma...@apache.org>]

On 25/11/2015 10:50, Utkarsh Dave wrote:
> Hello,
> 
> I need inputs/answers on below points to implement a secure session
> management application
> Or if there is there any configuration that may need to be tuned to improve
> below please point me to that
> A)
> Are Session IDs cryptographically strong and do not reveal sensitive
> information so that they can't be guessed easily or used to find attack
> vectors.
> Does we meet below
> 1. Does Strong entropy sources being used to generate the session ID value

Yes, it uses java.security.SecureRandom by default.

> 2. Does Strong cryptographic algorithms being used to generate the session
> ID value

Yes, SHA1PRNG by default.

> 3. Does the session ID value provides at least 128 bits of entropy.

Yes, the session ID is 16 bytes / 128 bits long by default.

> 4. Is the session ID value meaningless to prevent information disclosure
> attacks, allowing recovery of the contents of the ID and extract details of
> the user, the session, or the inner workings of the web application.

Yes.

> B)
> Are the Session IDs fully validated before they may be used.
> When using session ID to keep authentication state and track user progress
> within a web application, the application MUST treat the session ID as
> untrusted data,
> and sanitize and validate it before use.

Yes.

As with most things in Tomcat, configuration provides a lot of control
over session ID generation but the default settings meet the
requirements you set out above.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org