secure JSessionID

[GF <ga...@gmail.com>]

Hello,
can you give me a link about setting up a secure JSessionID cookie? I
mean to let it pass over HTTPS and not HTTP.
Thank you.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: secure JSessionID

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

GF,

GF wrote:
|> I believe if your session starts through HTTPS, the cookie will be
|> marked as secure and it won't be sent if the user switches to non-secure
|> HTTP.
|
| Maybe my question is stupid, but, is it possible to browse a site on
| HTTP and having just the JSESSIONID cookie sent on HTTPS to prevent
| session stealing?

Do you mean you want to configure Tomcat such that cookies are only sent
via HTTPS and suppressed for all HTTP traffic?

If yes, then I already told you how to do it: just make sure that your
cookies are created during an HTTPS request and that should be all you need.

If you need your HTTP requests to be related to the same server-side
session, then this is not going to work out for you.

With regard to session stealing... someone on the list recently asked if
Tomcat could be configured to ignore JSESSIONID cookies even if
"cookies" had been turned off in the configuration. I believe the answer
was that Tomcat will use a cookie if it was found, so an attacker could
always send JSESSIONID cookies to you just looking to see if he hits a
valid one.

If you really want to get paranoid, you can create a filter that vetos
all requests that contain a JSESSIONID cookie but don't use the HTTPS
scheme.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkeOfTIACgkQ9CaO5/Lv0PDgQgCgvyQN73aBeJ7EQJZIV4EfjkfQ
i+0AoMQUCGyc+LKjAvgzoM6cbTyGG+fa
=LzGc
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: secure JSessionID

[GF <ga...@gmail.com>]

> I believe if your session starts through HTTPS, the cookie will be
> marked as secure and it won't be sent if the user switches to non-secure
> HTTP.

Maybe my question is stupid, but, is it possible to browse a site on
HTTP and having just the JSESSIONID cookie sent on HTTPS to prevent
session stealing?
And if possible i would like to set up it... on apache, mod_jk and tomcat 6.
Thank you.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: secure JSessionID

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

GF,

GF wrote:
| can you give me a link about setting up a secure JSessionID cookie? I
| mean to let it pass over HTTPS and not HTTP.

I believe if your session starts through HTTPS, the cookie will be
marked as secure and it won't be sent if the user switches to non-secure
HTTP.

As long as you start the session via HTTPS, you should not have to do
anything else.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkeLm00ACgkQ9CaO5/Lv0PCvpACeOsRFLFC0tsQZ8stttge/RWHj
PlwAnjuLVAikckBjanakp+gAzAdJzKO8
=kiBx
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org