Hi Mark, Well, it seems that www.securitymetrics.com got crazy! They already told me that they made some changes in their system, and now they are having problems (bugs). I was just asking myself: How can their automatized procedure know if I am vulnerable to the session fixation problem, if it doesnt know a valid user+password, so it is not being able to actually login to my system?
Anyway, something good came from this: I realized that actually my system was not safe to session fixation. After the login process, it was not invalidating the session and creating a new one. Now it is. I just had to program the system to save the attributes, invalidadte the current session, create a new one, and recreate the attributes. Fortunately, Tomcat generates a new session ID for the new session. It seems that it was not happening in the previous versions of Tomcat and in other containers (according to what I have read in some forums), but now it is. Thanks for all your help! > -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Sunday, October 10, 2010 03:09 PM > To: Tomcat Users List > Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29? > > On 10/10/2010 20:59, Brian wrote: > > Hi Mark, > > > > Do you understand exactly what vulnerability are they talking about? > > No. It doesn't make much sense to me at the minute. I'd ask for more specific > information. > > > For > > some reason, they have determined that I have it, even though I'm not > > using Jrun but they wrongly assume I am. > > Looks like it so far. It all depends how they are detecting the vulnerability. It > could be a false positive but there isn't enough information to tell. > > > What do you mean exactly with "app managing its own authentication"? > > Sorry if it is a dumb question. > > If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat will change > the session ID on authentication and therefore protect against session fixation. > > If the app has its own authentication mechanism it is possible that the session ID > will not be changed on authentication creating the possibility for a session > fixation attack. > > > I found this on Google, and now that I read it I realize they are > > quoting you! :-) > > http://www.developer.com/java/web/article.php/3904871/Top-7-Features-i > > n-Tomc > > at-7-The-New-and-the-Improved.htm > > Is this the same subject? > > Yep, although that is looking at Tomcat 7. The session fixation protection (along > with a handle of other things originally developed for Tomcat 7) got back-ported > to Tomcat 6. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
