I think this is worth submitting a security issue request on tracker, to
ask that, at least, the container links the requester IP to the session.
Changing session ID upon login in container would be a good thing imho,
it would ensure ID become unknown to attacker after login, wouldn't
destroy user session (keep session, only change it's identifier) and
would work whatever authentification mecanism is used. Draw back is that
webapp that rely on session id for some session tracking mecanism would
break.
btw, you hack is limited to form based authentification, i successfully
"shared" an authentificated session on tomcat 5.5.7 using http basic
authentification. One of computer had access to secured ressouce
whithout ever being prompted for user/pass
En l'instant précis du 08/02/08 10:49, Christoph Lenggenhager
s'exprimait en ces termes:
David, Christopher
Thank you for sharing your thoughts.
It seems to me that there is no standard solution to this problem, but you
agree with me that the problem exists.
As I mentioned before, I came up with a solution that looks promising.
Here's a rough description, I'd welcome your opinions/concerns:
- a custom valve contains the whole implementation
- requests to the servlet/URI "j_security_check" are intercepted
- for intercepted requests the current session is destroyed
and a new one is created:
-- snip --
...
request.getSession().invalidate();
request.getSession(true);
...
-- snap --
- to have a proper redirect to the originally requested page
the original request has to be copied from the old session
to the new one.
I filter out any references to the old session id, although I'm
not sure whether this is really necessary.
Well, first of all, I'm in the comfortable situation that I'm not interested
in any session attributes that existed before the actual login, so
this make things easier.
Furthermore, it's clearly a homemade hack, but it seems to do the job.
Do you think it's worth to open a bug/feature request concerning this
issue? For I actually think
that this is clearly a task the container should take care of.
Thanks.
regards,
christoph
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
http://www.devlog.be (a belgian developer's logs)
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
