Announcement Announcement Module
No announcement yet.
session fixation protection problem Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • session fixation protection problem


    we have observed an odd behaviour with the session-fixation-protection property in our http setup. We currently define no property which, according to the documentation, should default to migrate-session. However, in Firefox we can see from the request headers that the JSESSIONID never changes after a login and we were actually able to make a session fixation attack using a simple http client and the following scenario:

    when logged out we copied the JSESSIONID, then we logged in and using our http client we sent a request for a secured page with a *Cookie* header containing the *logged out* JSESSIONID. Instead of being served the login page we were served the requested page which is what we were expecting as the ID was the same.

    We are using Tomcat 6 and it seems as if our server is always returning the same JSESSIONID!

    Has anyone come across this issue before. Do you think it's only related to Tomcat?


  • #2
    Yes, it is probably related to Tomcat. There is a particular configuration setting which will prevent it from creating a new session ID when the code

    is executed. I would investigate that further.


    • #3
      thank you very much,

      I'll investigate Tomcat configuration further and reply to this thread with my findings in case someone is interested.



      • #5
        Hi Bill,

        Unfortunately we weren't able to find what is causing the least up to the point where I was still working for the company.

        However, we were almost certain that it has something to do with tc and *not* Spring Security.We had a quick look at tc's default session id's generator strategy but didn't discover much...all should work just fine with the default setup...

        Can you please post the solution if you find one?



        • #6
          Looking into the problem I discovered it only occurred when Apache Httpd was used in front of Tomcat. Hitting Tomcat directly always generated a new session ID. So it looked more like something to do with mod_jk (but I'm not an httpd expert)

          I posted a message on the Tomcat mailing list but didn't get a reply:
          Last edited by rapaul; Apr 26th, 2010, 04:01 AM.