Re: Form Based Authentication creates user session before it is authenticated?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 5/13/2009 8:16 AM, Caldarale, Charles R wrote: From: umeshkavade [mailto:umeshkav...@yahoo.co.in] Subject: Re: Form Based Authentication creates user session before it is authenticated? P.S: BTW, is Tomcat planning to resolve this vulnerability in near future? I'll bite: what vulnerability are you referring to? Session fixation which is essentially a form of session hijacking. Basically, you get yourself a session and a session id from the server. You write that down and walk away. Then, you trick someone else into sitting down and logging-in. Since the session id does not change, you can go to another machine, hijack the user's session, and impersonate them. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoMY7EACgkQ9CaO5/Lv0PAVuQCgq3BW343Iydg+ZAfaT4y0sWup EjQAnRTFEa0KRoPlNQtNwiL51hAk3MbW =i/jw -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Based Authentication creates user session before it is authenticated?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 5/13/2009 9:27 AM, Martin Gainty wrote: if you are asking how to overcome Man-in-the-middle fraudulent manipulation based on basic authentication? He's not. and or Man-in-the middle fraudulent manipulation based on Form-based authentication which uses j_username and j_password and posts back to j_security_check using cleartext? He's not asking that, either. i would suggest implementation authentication using either Message-Digest or HTTPS Message-Digest This does not solve the problem, which is session hijacking, not protection of credentials. You have wasted a great deal of your time coming up with that response. Instead, you should have read the referenced thread and contributed to the discussion of protection against session fixation, instead of posting tips on how to protect credentials. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoMZGUACgkQ9CaO5/Lv0PCg1wCdFV8/BDav0DR+g6dg0MU70HeI 7qYAoJtB3AUbI9f9uMCwLW07ej2lH64N =zjkh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Form Based Authentication creates user session before it is authenticated?
From: umeshkavade [mailto:umeshkav...@yahoo.co.in] Subject: Re: Form Based Authentication creates user session before it is authenticated? P.S: BTW, is Tomcat planning to resolve this vulnerability in near future? I'll bite: what vulnerability are you referring to? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Form Based Authentication creates user session before it is authenticated?
avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: chuck.caldar...@unisys.com To: users@tomcat.apache.org Date: Wed, 13 May 2009 07:16:50 -0500 Subject: RE: Form Based Authentication creates user session before it is authenticated? From: umeshkavade [mailto:umeshkav...@yahoo.co.in] Subject: Re: Form Based Authentication creates user session before it is authenticated? P.S: BTW, is Tomcat planning to resolve this vulnerability in near future? I'll bite: what vulnerability are you referring to? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Hotmail® has ever-growing storage! Don’t worry about storage limits. http://windowslive.com/Tutorial/Hotmail/Storage?ocid=TXT_TAGLM_WL_HM_Tutorial_Storage1_052009
Re: Form Based Authentication creates user session before it is authenticated?
No, you'd have to write your own authentication mechanism. Tomcat is required to store the request that triggered authentication for re-play after a successful authentication. If not the request, where else should it be stored? Christopher, thanks for the reply. This is inline with my analysis. Actually, I am trying to address 'Session Fixation' issue in my web application. I saw your reply on thread http://www.nabble.com/How-to-avoid-session-fixation--td15311806.html. In one of the reply you gave following suggestion to address the issue: - a custom valve contains the whole implementation - requests to the servlet/URI j_security_check are intercepted - for intercepted requests the current session is destroyed and a new one is created: -- snip -- ... request.getSession().invalidate(); request.getSession(true); ... -- snap -- - to have a proper redirect to the originally requested page the original request has to be copied from the old session to the new one. I filter out any references to the old session id, although I'm not sure whether this is really necessary. I think, this would solve my problem. The only blocker for me is step: requests to the servlet/URI j_security_check are intercepted. I did not get good info on google which would teach me how I can do this. Pointers on this would be of great help. Thanks, Umesh P.S: BTW, is Tomcat planning to resolve this vulnerability in near future? -- View this message in context: http://www.nabble.com/Form-Based-Authentication-creates-user-session-before-it-is-authenticated--tp23455945p23515249.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Based Authentication creates user session before it is authenticated?
Christopher, I got the solution. Thanks. Umesh -- View this message in context: http://www.nabble.com/Form-Based-Authentication-creates-user-session-before-it-is-authenticated--tp23455945p23515281.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Based Authentication creates user session before it is authenticated?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Umesh, On 5/8/2009 9:03 PM, umeshkavade wrote: In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page, it is redirected to login page. However, while doing so it creates a session. I do not want my web application to create a session until user logs into the system. Pid is right, you can't avoid this. Tomcat stores the original request that caused authentication to be triggered in the session. Technically, it's not stored in the session attributes (so you can't manipulate it), but it's definitely tied to the session. If you want to avoid session creation, you'll have to roll your own authentication mechanism. I tried to figure out how form authenticator is working. I got source code of FormAuthenticator at: http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm You should get the source code from the actual source repository: http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Is there any way to avoid this and tell tomcat to not create session. No, you'd have to write your own authentication mechanism. Tomcat is required to store the request that triggered authentication for re-play after a successful authentication. If not the request, where else should it be stored? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIidsACgkQ9CaO5/Lv0PC2MgCgiHFPJfAotZX9ZSB89ADVt2r7 XT4AoLIq/Yo29sQOQM/DPDkDXqHARVR0 =A1z7 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Based Authentication creates user session before it is authenticated?
umeshkavade wrote: Hello, In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page, it is redirected to login page. However, while doing so it creates a session. I do not want my web application to create a session until user logs into the system. I tried to figure out how form authenticator is working. I got source code of FormAuthenticator at: http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm While processing first request, tomcat calls FormAuthenticator.authenticate() method which is calling getSession method which creates a session. Is there any way to avoid this and tell tomcat to not create session. The session is created, (if it doesn't already exist), when you request a protected resource, the original request is stored in the session so it can be restored after authentication has succeeded. So you need the user to have a session *before* authentication takes place. p Inputs on this will be of great help. Thanks in advance. - Umesh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Based Authentication creates user session before it is authenticated?
Pid wrote: umeshkavade wrote: Hello, In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page, it is redirected to login page. However, while doing so it creates a session. I do not want my web application to create a session until user logs into the system. I tried to figure out how form authenticator is working. I got source code of FormAuthenticator at: http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm While processing first request, tomcat calls FormAuthenticator.authenticate() method which is calling getSession method which creates a session. Is there any way to avoid this and tell tomcat to not create session. The session is created, (if it doesn't already exist), when you request a protected resource, the original request is stored in the session so it can be restored after authentication has succeeded. Actually, on reflection, I'm not sure the original request is stored in the session itself. But in either case, the session *is* created beforehand and you can't avoid this. p So you need the user to have a session *before* authentication takes place. p Inputs on this will be of great help. Thanks in advance. - Umesh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Form Based Authentication creates user session before it is authenticated?
take a look at HttpServletRequest.code for method which creates a new session via getSession(request,true) http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Core/Servlet-API-by-tomcat/javax/servlet/http/HttpServletRequest.java.htm getSession(request,true) will create a new Session getSession(request,false) will NOT create a new session FormAuthenticator.java authenticate method shows the calls to getSession as for newSession will be created e.g. http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm authenticate method (calls to getSession method) if (ssoId != null) 107:associate(ssoId, getSession(request, true)); 128:session = getSession(request, true); 161:session = getSession(request, true); 198:session = getSession(request, true); 243:if (session == null) 244:session = getSession(request, false); matchRequest 287:Session session = getSession(request, false); HTH Martin Gainty __ Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Sat, 9 May 2009 10:35:37 +0100 From: p...@pidster.com To: users@tomcat.apache.org Subject: Re: Form Based Authentication creates user session before it is authenticated? Pid wrote: umeshkavade wrote: Hello, In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page, it is redirected to login page. However, while doing so it creates a session. I do not want my web application to create a session until user logs into the system. I tried to figure out how form authenticator is working. I got source code of FormAuthenticator at: http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm While processing first request, tomcat calls FormAuthenticator.authenticate() method which is calling getSession method which creates a session. Is there any way to avoid this and tell tomcat to not create session. The session is created, (if it doesn't already exist), when you request a protected resource, the original request is stored in the session so it can be restored after authentication has succeeded. Actually, on reflection, I'm not sure the original request is stored in the session itself. But in either case, the session *is* created beforehand and you can't avoid this. p So you need the user to have a session *before* authentication takes place. p Inputs on this will be of great help. Thanks in advance. - Umesh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Hotmail® has a new way to see what's up with your friends. http://windowslive.com/Tutorial/Hotmail/WhatsNew?ocid=TXT_TAGLM_WL_HM_Tutorial_WhatsNew1_052009