2015-02-03 14:04 GMT+03:00 Rory Kelly <rory.ke...@fernsoftware.com>: > Hi Chris, > > Sorry for the late reply, I wound up working from home yesterday, and access > to the server was less than ideal > I'm just gonna dump the Headers from the login get, through to when it dumps > me back out at the login. >
> #response > HTTP/1.1 302 Found > Cache-Control: no-cache, no-store, must-revalidate, max-age=0 > Connection: keep-alive > Content-Length: 0 > Content-Type: text/html;charset=utf-8 > Date: Tue, 03 Feb 2015 10:50:03 GMT > Location: http://redacted.site.io/login 1) Does the above Location header names the same web site? If you are redirected to a different site, the browser will use a different set of cookies for it (as you Set-Cookie headers do not set domain for the cookie, and thus it is limited to a single site). > Server: nginx/1.6.2 (Ubuntu) > Set-Cookie: > ib=0c270113fc19aebbd07dd40bb401a3695d17cd722fa5d0b3743cfb8c7ef87836; path=/; > expires=Tue, 03 Feb 2015 10:55:03 -0000; HttpOnly 2) Is "ib" you session cookie? Is it created by Tomcat (just with a different cookie name), or by something else? 3) Generally I would expect a cookie change when a FORM challenge is issued, but the Set-Cookie header has the same cookie value as before. Thus my guess of a different site name. (CVE-2013-2067) http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.33 4) Is the time value correct? Is client's clock correct? Comparing the Date header in the response and the cookie, it is valid for 5 minutes only. If client's clock is wrong, it may expire the cookie earlier than in 5 minutes. > X-XSS-Protection: 1; mode=block > x-content-type-options: nosniff > x-frame-options: SAMEORIGIN > > ##Redirect > GET /login HTTP/1.1redacted.site.io > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 > Firefox/35.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Referer: http://boyle.fern.io/login/challenge 5) Leaking a site name.... > Cookie: ib=f7e8f6d4823853063b94e16a1f5252b06b62de621361f67ac6fdeca7259c0ec3 > Connection: keep-alive Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
