Announcement Announcement Module
Collapse
No announcement yet.
session fixation protection problem Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • session fixation protection problem

    Hi,

    we have observed an odd behaviour with the session-fixation-protection property in our http setup. We currently define no property which, according to the documentation, should default to migrate-session. However, in Firefox we can see from the request headers that the JSESSIONID never changes after a login and we were actually able to make a session fixation attack using a simple http client and the following scenario:

    when logged out we copied the JSESSIONID, then we logged in and using our http client we sent a request for a secured page with a *Cookie* header containing the *logged out* JSESSIONID. Instead of being served the login page we were served the requested page which is what we were expecting as the ID was the same.

    We are using Tomcat 6 and it seems as if our server is always returning the same JSESSIONID!

    Has anyone come across this issue before. Do you think it's only related to Tomcat?

    Thanks,
    savvas

  • #2
    Yes, it is probably related to Tomcat. There is a particular configuration setting which will prevent it from creating a new session ID when the code

    Code:
     session.invalidate();
     session=request.getSession(true);
    is executed. I would investigate that further.

    Comment


    • #3
      thank you very much,

      I'll investigate Tomcat configuration further and reply to this thread with my findings in case someone is interested.

      savvas

      Comment


      • #5
        Hi Bill,

        Unfortunately we weren't able to find what is causing the problem..at least up to the point where I was still working for the company.

        However, we were almost certain that it has something to do with tc and *not* Spring Security.We had a quick look at tc's default session id's generator strategy but didn't discover much...all should work just fine with the default setup...

        Can you please post the solution if you find one?

        Cheers,
        Savvas.

        Comment


        • #6
          Looking into the problem I discovered it only occurred when Apache Httpd was used in front of Tomcat. Hitting Tomcat directly always generated a new session ID. So it looked more like something to do with mod_jk (but I'm not an httpd expert)

          I posted a message on the Tomcat mailing list but didn't get a reply: http://osdir.com/ml/users-tomcat.apa.../msg00869.html
          Last edited by rapaul; Apr 26th, 2010, 05:01 AM.

          Comment

          Working...
          X