You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2009/12/10 08:57:17 UTC
DO NOT REPLY [Bug 45255] support disable jsessionid from url against
session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #19 from jcran <jc...@0x0e.org> 2009-12-09 23:57:11 UTC ---
At the risk of sounding like a troll, this is a pretty major security issue.
Why is it only now being dealt with?
True, it's not going prevent all session fixation, but as Mark Thomas
mentioned, it goes a /long/ way, and makes it /much/ more difficult to pull
off. You can no longer shoot a simple link to a user, and immediately have
access to their session
Regardless, it does prevent Session Hijacking -
http://en.wikipedia.org/wiki/Session_hijacking - (esp. in applications that
don't expire the session on the server).
Imagine you visit an application at a public PC, and a session ID is written to
the URL. When that page is saved to the browser's cache, the URL is saved with
the JSESSIONID parameter. A user could simply browse this cache, looking for
valid session ids.
Similarly, the session id can be cached in a proxy cache, or be sniffed along
the path.
Until this is fixed, i'm recommending the following:
Prevent SessionID from being written in the URL. There’s not an easy
configuration option for this with Tomcat, unfortunately:
http://forum.springsource.org/archive/index.php/t-27259.html
Ensure a new SessionID is set when the user successfully logs into the
application. This will prevent an attack called Session Fixation:
http://www.acros.si/papers/session_fixation.pdf
Implement relatively quick expiring sessions on the server (30 mins or less)
Implement HTTPS w/ secure cookies (to prevent sidejacking - and issue that will
persist regardless of session id's in the url)
More info here:
http://blog.0x0e.org/post/277275694/tomcats-jsessionid-in-the-url
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org