On 25/11/2015 10:50, Utkarsh Dave wrote: > Hello, > > I need inputs/answers on below points to implement a secure session > management application > Or if there is there any configuration that may need to be tuned to improve > below please point me to that > A) > Are Session IDs cryptographically strong and do not reveal sensitive > information so that they can't be guessed easily or used to find attack > vectors. > Does we meet below > 1. Does Strong entropy sources being used to generate the session ID value
Yes, it uses java.security.SecureRandom by default. > 2. Does Strong cryptographic algorithms being used to generate the session > ID value Yes, SHA1PRNG by default. > 3. Does the session ID value provides at least 128 bits of entropy. Yes, the session ID is 16 bytes / 128 bits long by default. > 4. Is the session ID value meaningless to prevent information disclosure > attacks, allowing recovery of the contents of the ID and extract details of > the user, the session, or the inner workings of the web application. Yes. > B) > Are the Session IDs fully validated before they may be used. > When using session ID to keep authentication state and track user progress > within a web application, the application MUST treat the session ID as > untrusted data, > and sanitize and validate it before use. Yes. As with most things in Tomcat, configuration provides a lot of control over session ID generation but the default settings meet the requirements you set out above. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
