Google "session fixation" --> http://en.wikipedia.org/wiki/Session_fixation
On Oct 10, 2010, at 6:24 PM, Brian wrote: > Mark, > > I'm not using either "basic" or "form". I developed my own solution, which > works great for me. > Assuming that the "session fixation" is my problem, what would you suggest > me to do? Is there any web page on the internet that explains the issue? > > > >> -----Original Message----- >> From: Mark Thomas [mailto:ma...@apache.org] >> Sent: Sunday, October 10, 2010 03:09 PM >> To: Tomcat Users List >> Subject: Re: JSESSIONID weakness Severity in Tomcat 6.0.29? >> >> On 10/10/2010 20:59, Brian wrote: >>> Hi Mark, >>> >>> Do you understand exactly what vulnerability are they talking about? >> >> No. It doesn't make much sense to me at the minute. I'd ask for more > specific >> information. >> >>> For >>> some reason, they have determined that I have it, even though I'm not >>> using Jrun but they wrongly assume I am. >> >> Looks like it so far. It all depends how they are detecting the > vulnerability. It >> could be a false positive but there isn't enough information to tell. >> >>> What do you mean exactly with "app managing its own authentication"? >>> Sorry if it is a dumb question. >> >> If you use Tomcat's authentication (BASIC, FORM, etc) then Tomcat will > change >> the session ID on authentication and therefore protect against session > fixation. >> >> If the app has its own authentication mechanism it is possible that the > session ID >> will not be changed on authentication creating the possibility for a > session >> fixation attack. >> >>> I found this on Google, and now that I read it I realize they are >>> quoting you! :-) >>> http://www.developer.com/java/web/article.php/3904871/Top-7-Features-i >>> n-Tomc >>> at-7-The-New-and-the-Improved.htm >>> Is this the same subject? >> >> Yep, although that is looking at Tomcat 7. The session fixation protection > (along >> with a handle of other things originally developed for Tomcat 7) got > back-ported >> to Tomcat 6. >> >> Mark >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
