You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2009/12/10 08:57:17 UTC

DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks

https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

--- Comment #19 from jcran <jc...@0x0e.org> 2009-12-09 23:57:11 UTC ---
At the risk of sounding like a troll, this is a pretty major security issue.
Why is it only now being dealt with?

True, it's not going prevent all session fixation, but as Mark Thomas
mentioned, it goes a /long/ way, and makes it /much/ more difficult to pull
off. You can no longer shoot a simple link to a user, and immediately have
access to their session  

Regardless, it does prevent Session Hijacking  -
http://en.wikipedia.org/wiki/Session_hijacking - (esp. in applications that
don't expire the session on the server). 

Imagine you visit an application at a public PC, and a session ID is written to
the URL. When that page is saved to the browser's cache, the URL is saved with
the JSESSIONID parameter. A user could simply browse this cache, looking for
valid session ids. 

Similarly, the session id can be cached in a proxy cache, or be sniffed along
the path. 

Until this is fixed, i'm recommending the following:

Prevent SessionID from being written in the URL. There’s not an easy
configuration option for this with Tomcat, unfortunately:
   http://forum.springsource.org/archive/index.php/t-27259.html

Ensure a new SessionID is set when the user successfully logs into the
application. This will prevent an attack called Session Fixation:
http://www.acros.si/papers/session_fixation.pdf 

Implement relatively quick expiring sessions on the server (30 mins or less)

Implement HTTPS w/ secure cookies (to prevent sidejacking - and issue that will
persist regardless of session id's in the url)

More info here: 

http://blog.0x0e.org/post/277275694/tomcats-jsessionid-in-the-url

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org