-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David,
david delbecq wrote: | Sorry Christopher, but i tried at work, it's very easy to force a user | to use a specific sessionid, and later use yourself that session id to | gain that user's credential, and for the whole session there is only one | login, the one from the user you attempt to hijack. Right, I knew that Tomcat was vulnerable to session hijacking. | As such, tomcat is | vulnerable to session fixation issues. Tomcat does not check where the | session originates from (IP of requester is not associated with | session). By passing a ;jssessionid=.... to a url and asking someone to | "check something on that url", you can, after that user logged in, use | yourself the same url to gain that user's credential. Perhaps I misread the Session Fixation idea. I thought it was: 1. Login as a low-privileged user 2. Return that browser to the login page without logging-out 3. Convince a higher-privileged user to login using the same session 4. Hijack the session in another browser I believe this scenario is not possible in Tomcat due to the restrictions I outlined in my previous message. On the other hand, skipping #1 and /not/ logging-in as a a lowly user first /will/ allow session hijacking. I believe the only way to prevent Session Fixation is to switch-up sessions at authentication time. I suppose a container-based implementation could change the id of the session and keep the physical session in-tact. Non-container strategies would have to move any relevant data from the untrusted session to the newly created session. That might have odd consequences for objects that implement SessionBindingListener and expect that removal from a session is the end of the session. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEUEARECAAYFAkeqOkAACgkQ9CaO5/Lv0PDDFACeJKbBCBe5Wu762rofwzJ5GyYJ 1q0AmN3QOhYEFasv++++mKFaVa+SiBo= =4j+K -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]