Hi Cris,

I already try with AJP, but I cant get rid of the JSESSIONID cookie either

Regards,
--
Joan Morales

El 28/09/2012, a las 19:11, Christopher Schultz <ch...@christopherschultz.net> 
escribió:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Konstantin,
> 
> On 9/28/12 10:27 AM, Konstantin Kolinko wrote:
>> 2012/9/28 Joan Morales <joan....@gmail.com>:
>>> Hi,
>>> 
>>> I have a security issue (hijack session) with JSESSIONID cookie,
>>> 
>>> here is the problem:
>>> 
>>> I am using an architecture with an Apache2 server in front of
>>> Tomcat,  I have configured the SSL in both sides
>>> Apache(ssl_module) and Tomcat(Conectors JSSE),
>>> 
>>> 1)  I tried using a connectio via AJP protocol to connect between
>>> Apache2 and Tomcat using the following configuration on the
>>> server.xml:
>>> 
>>> APACHE(httpd) via HTTP/HTTPS <VirtualHost *:80> ProxyPass /
>>> http://localhost:8080/ <http://educaixahost:8080/> 
>>> ProxyPassReverse / http://localhost:8080/
>>> <http://educaixahost:8080/> </VirtualHost>
>>> 
>>> via AJP <VirtualHost *:80> ProxyPass / ajp://localhost:8009/
>>> <http://educaixahost:8080/> ProxyPassReverse /
>>> ajp://localhost:8009/ <http://educaixahost:8080/> </VirtualHost>
>>> 
>>> <VirtualHost *:443> ServerAdmin ad...@mail.com ServerName
>>> localhost:443 SSLProxyEngine on SSLEngine on SSLCertificateFile
>>> "c:/usr/SSL/name.crt" SSLCertificateKeyFile
>>> "c:/usr/SSL/name.key" ProxyPass / https://localhost:8443/ 
>>> ProxyPassReverse / https://localhost:8443/ </VirtualHost>
>>> 
>>> Tomcat (server.xml)
>>> 
>>> <Connector URIEncoding="UTF-8" connectionTimeout="20000"
>>> port="8080" protocol="HTTP/1.1" redirectPort="8443"
>>> secure="true"/> <Connector URIEncoding="UTF-8" port="8009"
>>> protocol="AJP/1.3" redirectPort="8443" scheme="https"
>>> secure="true"/>
>>> 
>>> Results for this solution: I still can get the JSESSIONID cookie
>>> 
>>> 2)  I tried using the HTTP/S protocol to connect between Apache2
>>> and tomcat  using the following configurationl:
>>> 
>>> Apache: Same configuration
>>> 
>>> Tomcat (server.xml):
>>> 
>>> <Connector URIEncoding="UTF-8" connectionTimeout="20000"
>>> port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
>>> 
>>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
>>> maxThreads="150" scheme="https" secure="true" 
>>> keystoreFile="path/name.keystore" keystorePass="password" 
>>> clientAuth="false" sslProtocol="TLS" />
>>> 
>>> I also added this on the web.xml:
>>> 
>>> <session-config> <session-timeout>30</session-timeout> 
>>> <tracking-mode>SSL</tracking-mode> </session-config>
>>> 
>>> Results for this solution:
>>> 
>>> The JSESSIONID cookie disappears OK Everything works OK if I
>>> access directly to the tomcat and bypass the apache,
>>> (localhost:8443), I can login into the web page and keep the 
>>> seesion in every link inside the app
>>> 
>>> but, when try to access trought the Apache in https in port 443 ,
>>> ( https://localhost:443 <https://localhost/>), I can login the
>>> first time but when I try to access somewhere else in the app I
>>> lose the user session and the app log me out, I checked over the
>>> logs and there are no error neither in apache nor tomcat
>>> 
>>> So, Is this solution implementable under this architecture? Am I
>>> missing some configurations?
>> 
>> So you are trying to do
>> 
>> Browser -> (HTTPS) -> Apache HTTPD -> (HTTPS) -> Tomcat
>> 
>> In this case there are 2 different HTTPS connections.
>> 
>> <session-config> <session-timeout>30</session-timeout> 
>> <tracking-mode>SSL</tracking-mode> </session-config>
>> 
>> The above "SSL" session tracking configuration wouldn't work,
>> because from Tomcat's point of view the only connection that it
>> sees is the one from Apache HTTPD. It knows "sslSession" identifier
>> of this connection only.
>> 
>> To use "SSL" session tracking you should connect to Tomcat
>> directly.
> 
> What about using Browser -> (HTTPS) -> httpd -> (AJP) - Tomcat?
> 
> Since httpd forwards all the SSL information, can Tomcat sniff that
> and successfully use SSL-based session identification?
> 
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
> 
> iEYEARECAAYFAlBl2jIACgkQ9CaO5/Lv0PAYBwCfe+61S3DHa+VBsCLz5Ca9LYfl
> Tl4An0o8OI43y/ZJ8QIve5EM1FXZFPSh
> =7NU3
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to