Results 1 to 6 of 6

Thread: session fixation protection problem

  1. Sep 26th, 2009, 07:01 AM #1
    savvas
    savvas is offline Member
    Join Date
    Jul 2009
    Location
    London, UK
    Posts
    47

    Default session fixation protection problem

    Hi,

    we have observed an odd behaviour with the session-fixation-protection property in our http setup. We currently define no property which, according to the documentation, should default to migrate-session. However, in Firefox we can see from the request headers that the JSESSIONID never changes after a login and we were actually able to make a session fixation attack using a simple http client and the following scenario:

    when logged out we copied the JSESSIONID, then we logged in and using our http client we sent a request for a secured page with a *Cookie* header containing the *logged out* JSESSIONID. Instead of being served the login page we were served the requested page which is what we were expecting as the ID was the same.

    We are using Tomcat 6 and it seems as if our server is always returning the same JSESSIONID!

    Has anyone come across this issue before. Do you think it's only related to Tomcat?

    Thanks,
    savvas
  2. Sep 27th, 2009, 08:58 AM #2
    Luke Taylor
    Luke Taylor is offline Senior Member Acegi Security System TeamSpring Team
    Join Date
    Aug 2004
    Location
    Glasgow, Scotland
    Posts
    3,449

    Default

    Yes, it is probably related to Tomcat. There is a particular configuration setting which will prevent it from creating a new session ID when the code

    Code:
     session.invalidate();
 session=request.getSession(true);
    is executed. I would investigate that further.
    Spring - by Pivotal
    twitter @tekul
  3. Sep 28th, 2009, 03:38 AM #3
    savvas
    savvas is offline Member
    Join Date
    Jul 2009
    Location
    London, UK
    Posts
    47

    Default

    thank you very much,

    I'll investigate Tomcat configuration further and reply to this thread with my findings in case someone is interested.

    savvas
  4. Apr 19th, 2010, 02:09 PM #4
    wied@yahoo.com
    wied@yahoo.com is offline Junior Member
    Join Date
    Mar 2009
    Posts
    5

    Default

    Savvas,

    Where you able to determine a solution? I am having a similar problem.

    Thanks for your help.

    Bill
  5. Apr 20th, 2010, 04:44 PM #5
    savvas
    savvas is offline Member
    Join Date
    Jul 2009
    Location
    London, UK
    Posts
    47

    Default

    Hi Bill,

    Unfortunately we weren't able to find what is causing the problem..at least up to the point where I was still working for the company.

    However, we were almost certain that it has something to do with tc and *not* Spring Security.We had a quick look at tc's default session id's generator strategy but didn't discover much...all should work just fine with the default setup...

    Can you please post the solution if you find one?

    Cheers,
    Savvas.
  6. Apr 26th, 2010, 03:56 AM #6
    rapaul
    rapaul is offline Junior Member
    Join Date
    Jun 2009
    Posts
    10

    Default

    Looking into the problem I discovered it only occurred when Apache Httpd was used in front of Tomcat. Hitting Tomcat directly always generated a new session ID. So it looked more like something to do with mod_jk (but I'm not an httpd expert)

    I posted a message on the Tomcat mailing list but didn't get a reply: http://osdir.com/ml/users-tomcat.apa.../msg00869.html
    Last edited by rapaul; Apr 26th, 2010 at 04:01 AM.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules