Thank You Mark On Wed, Nov 25, 2015 at 4:39 PM, Mark Thomas <ma...@apache.org> wrote:
> On 25/11/2015 10:50, Utkarsh Dave wrote: > > Hello, > > > > I need inputs/answers on below points to implement a secure session > > management application > > Or if there is there any configuration that may need to be tuned to > improve > > below please point me to that > > A) > > Are Session IDs cryptographically strong and do not reveal sensitive > > information so that they can't be guessed easily or used to find attack > > vectors. > > Does we meet below > > 1. Does Strong entropy sources being used to generate the session ID > value > > Yes, it uses java.security.SecureRandom by default. > > > 2. Does Strong cryptographic algorithms being used to generate the > session > > ID value > > Yes, SHA1PRNG by default. > > > 3. Does the session ID value provides at least 128 bits of entropy. > > Yes, the session ID is 16 bytes / 128 bits long by default. > > > 4. Is the session ID value meaningless to prevent information disclosure > > attacks, allowing recovery of the contents of the ID and extract details > of > > the user, the session, or the inner workings of the web application. > > Yes. > > > B) > > Are the Session IDs fully validated before they may be used. > > When using session ID to keep authentication state and track user > progress > > within a web application, the application MUST treat the session ID as > > untrusted data, > > and sanitize and validate it before use. > > Yes. > > As with most things in Tomcat, configuration provides a lot of control > over session ID generation but the default settings meet the > requirements you set out above. > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
