Pieter Temmerman wrote:
Hi list.
I've got an issue which I would like to share with you guys.
My webapp requires a user to login, which on his turn creates a session
for that user.
Now, when I browse my webapp the address bar shows the current URL with
a JSESSIONID. Let's say:
http://testweb/testpageaction.do;jsessionid=SD23SL4DE134ADFF565D
If I execute this same URL in another machine, then I am able to browse
my webapp, as if I was logged in. I expected the session to be invalid
for this request.
I've searched Google for jsessionid hijacking and found some ways to
avoid jsessionid to appear in the URL, or at least to ignore
jsessionid's passed by URL.
session ID is passed by URL rewriting or by cookie. Either way is open
to sniffers. The only way to avoid sniffers is to use SSL for the entire
user session. SSL encrypts the information and also ensures that both
sides are talking to whom they expect to talk and not to a man in the
middle.
However, as the jsessionid URL rewriting is defined in the servlet
specification, I would expect this to be secure.
Nope. You are assuming away all the problems.
Therefor I was wondering whether the hijacking is caused by a
misconfiguration of Tomcat, my webapp or rather completely normal.
I would really appreciate if someone could shed a light on this.
See comments above. You start with SSL, then you should add more layers
of security. For example you should ensure that users may only arrive at
one of your pages by way of another of your pages. This is sometimes
called transaction integrity. I cannot provide info on how we do that
without compromising our security, but you should be able to figure out
something for your own use. And there are other layers of security to
add, logs to review, etc.
--cheers,
HH
P.S.: I'm using Tomcat 5.5.27 - jdk 1.5.0_15.
Thanks in advance.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
