Hi Cris, I already try with AJP, but I cant get rid of the JSESSIONID cookie either
Regards, -- Joan Morales El 28/09/2012, a las 19:11, Christopher Schultz <ch...@christopherschultz.net> escribió: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Konstantin, > > On 9/28/12 10:27 AM, Konstantin Kolinko wrote: >> 2012/9/28 Joan Morales <joan....@gmail.com>: >>> Hi, >>> >>> I have a security issue (hijack session) with JSESSIONID cookie, >>> >>> here is the problem: >>> >>> I am using an architecture with an Apache2 server in front of >>> Tomcat, I have configured the SSL in both sides >>> Apache(ssl_module) and Tomcat(Conectors JSSE), >>> >>> 1) I tried using a connectio via AJP protocol to connect between >>> Apache2 and Tomcat using the following configuration on the >>> server.xml: >>> >>> APACHE(httpd) via HTTP/HTTPS <VirtualHost *:80> ProxyPass / >>> http://localhost:8080/ <http://educaixahost:8080/> >>> ProxyPassReverse / http://localhost:8080/ >>> <http://educaixahost:8080/> </VirtualHost> >>> >>> via AJP <VirtualHost *:80> ProxyPass / ajp://localhost:8009/ >>> <http://educaixahost:8080/> ProxyPassReverse / >>> ajp://localhost:8009/ <http://educaixahost:8080/> </VirtualHost> >>> >>> <VirtualHost *:443> ServerAdmin ad...@mail.com ServerName >>> localhost:443 SSLProxyEngine on SSLEngine on SSLCertificateFile >>> "c:/usr/SSL/name.crt" SSLCertificateKeyFile >>> "c:/usr/SSL/name.key" ProxyPass / https://localhost:8443/ >>> ProxyPassReverse / https://localhost:8443/ </VirtualHost> >>> >>> Tomcat (server.xml) >>> >>> <Connector URIEncoding="UTF-8" connectionTimeout="20000" >>> port="8080" protocol="HTTP/1.1" redirectPort="8443" >>> secure="true"/> <Connector URIEncoding="UTF-8" port="8009" >>> protocol="AJP/1.3" redirectPort="8443" scheme="https" >>> secure="true"/> >>> >>> Results for this solution: I still can get the JSESSIONID cookie >>> >>> 2) I tried using the HTTP/S protocol to connect between Apache2 >>> and tomcat using the following configurationl: >>> >>> Apache: Same configuration >>> >>> Tomcat (server.xml): >>> >>> <Connector URIEncoding="UTF-8" connectionTimeout="20000" >>> port="8080" protocol="HTTP/1.1" redirectPort="8443"/> >>> >>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" >>> maxThreads="150" scheme="https" secure="true" >>> keystoreFile="path/name.keystore" keystorePass="password" >>> clientAuth="false" sslProtocol="TLS" /> >>> >>> I also added this on the web.xml: >>> >>> <session-config> <session-timeout>30</session-timeout> >>> <tracking-mode>SSL</tracking-mode> </session-config> >>> >>> Results for this solution: >>> >>> The JSESSIONID cookie disappears OK Everything works OK if I >>> access directly to the tomcat and bypass the apache, >>> (localhost:8443), I can login into the web page and keep the >>> seesion in every link inside the app >>> >>> but, when try to access trought the Apache in https in port 443 , >>> ( https://localhost:443 <https://localhost/>), I can login the >>> first time but when I try to access somewhere else in the app I >>> lose the user session and the app log me out, I checked over the >>> logs and there are no error neither in apache nor tomcat >>> >>> So, Is this solution implementable under this architecture? Am I >>> missing some configurations? >> >> So you are trying to do >> >> Browser -> (HTTPS) -> Apache HTTPD -> (HTTPS) -> Tomcat >> >> In this case there are 2 different HTTPS connections. >> >> <session-config> <session-timeout>30</session-timeout> >> <tracking-mode>SSL</tracking-mode> </session-config> >> >> The above "SSL" session tracking configuration wouldn't work, >> because from Tomcat's point of view the only connection that it >> sees is the one from Apache HTTPD. It knows "sslSession" identifier >> of this connection only. >> >> To use "SSL" session tracking you should connect to Tomcat >> directly. > > What about using Browser -> (HTTPS) -> httpd -> (AJP) - Tomcat? > > Since httpd forwards all the SSL information, can Tomcat sniff that > and successfully use SSL-based session identification? > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ > > iEYEARECAAYFAlBl2jIACgkQ9CaO5/Lv0PAYBwCfe+61S3DHa+VBsCLz5Ca9LYfl > Tl4An0o8OI43y/ZJ8QIve5EM1FXZFPSh > =7NU3 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org