Utkarsh, On 11/25/15 6:29 AM, Utkarsh Dave wrote: > Thank You Mark > > On Wed, Nov 25, 2015 at 4:39 PM, Mark Thomas <ma...@apache.org> wrote: > >> On 25/11/2015 10:50, Utkarsh Dave wrote: >>> Hello, >>> >>> I need inputs/answers on below points to implement a secure session >>> management application >>> Or if there is there any configuration that may need to be tuned to >> improve >>> below please point me to that >>> A) >>> Are Session IDs cryptographically strong and do not reveal sensitive >>> information so that they can't be guessed easily or used to find attack >>> vectors. >>> Does we meet below >>> 1. Does Strong entropy sources being used to generate the session ID >> value >> >> Yes, it uses java.security.SecureRandom by default. >> >>> 2. Does Strong cryptographic algorithms being used to generate the >> session >>> ID value >> >> Yes, SHA1PRNG by default. >> >>> 3. Does the session ID value provides at least 128 bits of entropy. >> >> Yes, the session ID is 16 bytes / 128 bits long by default. >> >>> 4. Is the session ID value meaningless to prevent information disclosure >>> attacks, allowing recovery of the contents of the ID and extract details >> of >>> the user, the session, or the inner workings of the web application. >> >> Yes. >> >>> B) >>> Are the Session IDs fully validated before they may be used. >>> When using session ID to keep authentication state and track user >> progress >>> within a web application, the application MUST treat the session ID as >>> untrusted data, >>> and sanitize and validate it before use. >> >> Yes. >> >> As with most things in Tomcat, configuration provides a lot of control >> over session ID generation but the default settings meet the >> requirements you set out above. >> >> Mark
Good luck on your checkbox-based security audit! -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
