Re: JSESSIONID changed without notice

Felix Schumacher Sat, 09 Apr 2016 03:02:07 -0700

Am 07.04.2016 um 17:40 schrieb Arno Schäfer:

Hi all,


I have the following Problem: we have a very old, some kind of complex webapp, 
that run under tomcat 7.0.54 on Windows.
I have to maintain some functionality and came to a point, what I can't 
understand. Some requests have to have an authentification
and this is bound at the JSESSIONID. So the idea is, to canalize these request 
to a filter and handle the necessary things, when a new
session is created or destroyed. So during a create event I put the ID in a map 
and do some things and after the destroy I remove it
from the map. So far, so boring.

When a session gets 'authenticated' its id will change to preventsession fixation attacks. If you are interested in the events tellingyou the change you have two possibilities:

1. Use servlet api 3.1 and use a HttpSessionIdListener (which meansupgrading to tomcat 8 or newer)

2. Use a ContainerListener.

Regards,
 Felix


After I recognize, that the map wouldn't become empty, if also the session 
timeout was over, I look a little bit deeper in that and I
found out, that the ID of one session changed during startup one or two times, 
depending on the situation, without activating the
sessions listener. So only the first ID was put in the map, but was never get 
the destroy event, because the value of the ID was changed
in between and the destroy event goes to the new ID!

I make some output in our session filter, who get all requests, what should 
illustrate my problem. Here it is:

: ===============================================
: Start Tomcat in debug mode on port '8000'...
: ===============================================
Using CATALINA_BASE:   "C:\SQSProfessional\10.8.000_BL13\wl\10.8.0\108000_BL13"
Using CATALINA_HOME:   "C:\SQSProfessional\10.8.000_BL13\wl\10.8.0\tomcat"
Using CATALINA_TMPDIR: 
"C:\SQSProfessional\10.8.000_BL13\wl\10.8.0\108000_BL13\temp"
Using JRE_HOME:        "C:\SQSPRO~1\103299~1.000\jre\x64\1.8.0"
Using CLASSPATH:       
"C:\SQSProfessional\10.8.000_BL13\wl\10.8.0\tomcat\bin\bootstrap.jar;
C:\SQSProfessional\10.8.000_BL13\wl\10.8.0\tomcat\bin\tomcat-juli.jar;C:\SQSProfessional\
10.8.000_BL13\corba\asp\6.3\lib\tomcat-corba.jar;C:\SQSProfessional\10.8.000_BL13\nl\10.8.0\
bin\PPMClient.jar;C:\SQSProfessional\10.8.000_BL13\wl\10.8.0\tomcat\bin\bootstrap.jar;C:\
SQSProfessional\10.8.000_BL13\wl\10.8.0\tomcat\bin\tomcat-juli.jar"
:
Apr 07, 2016 4:25:22 PM org.apache.catalina.startup.Catalina start
INFORMATION: Server startup in 8439 ms
:

# This is the output from my session filter, who show you the JSESSIONID from 
every incomming request,
# the servlet path and if the session is new or old
# this protocol is only from one request to 
'http://n61l44x1:9452/ppm/index.jsp' waiting a while and close
# the browsers tab and wait again for the session timeout.
# 
====================================================================================
Session: 'UNKNOWN' in servlet path '/index.jsp'
Session: 'D815B22EC5680EE5F3760D58E33BBF39' created (MaxInactiveInterval = 
60)<-- output from the 'create' event from the listener after my 'getSession()'
Session: 'D815B22EC5680EE5F3760D58E33BBF39' in servlet path '/index.jsp' was 
created. (NEW)
Session: 'D815B22EC5680EE5F3760D58E33BBF39' in servlet path '/index.jsp' was 
authenticated by 'sra' (NEW)
Apr 07, 2016 4:26:18 PM de.sqs.tomcat.realm.BITRealm authenticate<-- here are 
two calls to our realm for our authentification in the tomcat, why???
INFORMATION: (tomcat): Try authentification of 'sra'...
Apr 07, 2016 4:26:18 PM de.sqs.tomcat.realm.BITRealm authenticate
INFORMATION: (tomcat): Try authentification of 'sra'...
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/applet.jsp' 
(OLD)<-- now you see here in output that the JSESSIONID is changed, but no call 
to destroy/create was made
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/selectworkspace.jsp' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/alive' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/selectWorkspaceAction.do' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/alive' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/icons/up.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/folder.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/icons/project.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/icons/filterreset.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/images/doc.gif' 
(OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/icons/filteredit.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/icons/clock.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/icons/backupws.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/icons/plugin.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/images/job.gif' 
(OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/activity.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/icons/right.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/icons/report.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/alive' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/alive' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/alive' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/alive' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/alive' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/alive' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/alive' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/alive' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/alive' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/alive' (OLD) <-- 
here I closed the browser and after a minute:
:
Apr 07, 2016 4:33:25 PM de.sqs.newline.testcenter.BIT removeTCSession
INFORMATION: Lookup for HTTP session: 'F742E60445E91DED73C64FD6D9A8E38A -> 
failed!
Session: 'F742E60445E91DED73C64FD6D9A8E38A' destroyed (MaxInactiveInterval = 
0)<-- output from the 'destroy' event from the listener, recognize the ID from 
the create event!
:
<EOL>

I have really checked, that there is only one place in our code, where 
'request.getSession()' is called,
and that is in the situation, when a request received, that has no session, but 
it should have one.

The question is: Why does the value of the ID changed, without notice and why 
tomcats authentification
was called twice after the first 'getSession()' call and is this responsible 
for the ID change.

The configuration of the tomcat is attached. It is only one HTTP connector with 
one webapp and an own
Realm.

Thanks for your interest,
best regards
Arno

_________________________________________________________



Vorsitzender des Aufsichtsrats: David Bellin
Vorstand: Diederik Vos (CEO) │ Ralph Gillessen (COO) │ René Gawron (CFO)
SQS AG │ Stollwerckstraße 11 │ 51149 Köln
Sitz der Gesellschaft: Köln │ Amtsgericht Köln, HRB 12764

This e-mail may contain confidential and/or privileged information. If you are 
not the intended recipient
(or have received this e-mail in error) please notify the sender immediately 
and destroy this e-mail.
Any unauthorised copying, disclosure or distribution of the material in this 
e-mail is strictly forbidden.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JSESSIONID changed without notice

Reply via email to