Probably partially resolved by the patch I forward previously.
>From M. Frey....
La prise de conscience de votre propre ignorance est un grand pas vers la
connaissance.
-- Benjamin Disraeli
>-----Original Message-----
>From: Amrhein, Thomas [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, February 28, 2001 5:59 PM
>To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: [Security Issue] Sessions are visible across multiple clients
>
>
>Hi all,
>
>one session can be visible on multiple clients!!
>
>THIS IS A BIG SECURITY PROBLEM!
>
>Someone opens his webbrowser and has the session of somebody else.
>So critical data could be viewed without permission.
>Somebody can act as somebody else.
>
>What's wrong with tomcat's session-handling?
>
>I wrote a web application which can reproduce this.
>
>I'm working with Tomcat 3.3m1 on WinNT4.
>On 3.2 I have the same problems sometimes with our application
>but it is not reproducable there.
>
>To reproduce this:
>- put sessiontest.war in %TOMCAT_HOME%/webapps/
>- start Tomcat
>- open browser1 (Netscape 4.7 or IE5) on machine1 (close it
>before if it's
>already open)
>- locate browser1 on http://yourtomcat/sessiontest/index.jsp
>(a cookie will
>be set)
>- browser1: login with name for example 'Testuser1'
>- browser1: show settings (The name is displayed)
>- open browser2 on machine2 (close it before if it's already open)
>- locate browser2 on http://yourtomcat/sessiontest/index.jsp
>(a cookie will
>be set)
>
>Browser2 now sees the same content like browser1 (logged in as
>Testuser1).
>Look for the sourcecode in the .war. All objects are session-bound.
>Normally you should not be logged in.
>Remember that you are on different machines! They should have different
>cookies, different
>sessions, different usernames.
>Sometimes but not often, they have the same Session-ID (I can
>not reproduce
>this).
>
>Bug #723: sessions are not properly recycled
>Perhaps my issue belongs to this.
>
>I've seen different bugs reported but not solved belonging to
>session-handling.
>#131,152,183,189,267,429,723,731
>
>Can somebody reproduce this behaviour somewhere else?
>And can this behaviour also happen in Tomcat 3.2/3.2.1 (I
>don't know the
>code)?
>
>regards,
>
>Thomas
>
>PS: I'm new to tomcat-dev-mailinglist (two or three hours) to
>stay tuned.
>Perhaps it's already discussed and patched. Please inform me.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
