Session Fixation Protection

posted by mthomas on April 25, 2011 06:30 AM

A common practice these days in email marketing is to provide users with custom links that direct them quickly to their own account, and streamline the number of steps needed to sign up for additional services or address outdated or invalid account information. This is great for company relationships with their customers, however it is somewhat easily exploited.

A simple scenario

Mary and Bob both have accounts with the same bank. Mary is not very internet savvy, and Bob is. Bob sends Mary a link that is plainly seen to be their bank’s address and attaches a session ID ( Mary sees its one of the bank’s URLs, and clicks it, logs in with her username and password. As soon as she does that, Bob is able to also click that link and the session is now validated so he has full access to all her account information and money!

There are more complex scenarios documented across the web. Some additional easy to understand examples can be found on Wikipedia. Reality is that there are several things Mary could do to be more educated and protect herself, but consumers are hard to educate perfectly. In turn, companies—especially ones that rely on authenticated sessions to service their customers—must protect their customers from these types of attacks.

Session Fixation Protection

A new security feature for Apache Tomcat 7 is Session Fixation Protection. Essentially, when a user authenticates their session, Tomcat will change the session ID. It does not destroy the previous session, rather it renames it so it is no longer found by that ID. So in our example above, Bob would try and log on with that session, and he would not be able to find it.

Turning off Session Fixation Protection

Session fixation protection is turned on by default in all Apache Tomcat 7 versions and from Apache Tomcat 6.0.21 on. If you do not wish to use this protection, you need to modify the configuration of the internal valve in Tomcat that does the authentication.

Normally you do not see this valve in a server.xml or context.xml file. As soon as you configure a web application with authentication, whether its basic, form, digest or client cert, Tomcat will automatically insert the appropriate authentication valve into your configuration. To turn it off, rather than relying on Tomcat’s implicit configuration, you will need to add it explicitly.

So, if you were using basic authentication, you would need to navigate to the context.xml file for your application (not $CATALINA_BASE/conf/context.xml - that is the global context.xml that provides defaults for all web applications) and add a valve using className="org.apache.catalina.authenticator.BasicAuthenticator" and also set the parameter changeSessionIdOnAuthentication="false".  For more information on the various valves and classes needed, please see the Apache Tomcat Valve Configuration documentation.

When to Disable Session Fixation

The ASF Security Team deemed this a basic enough protection to make it by default turned on in Tomcat 7. Turning it off is not generally advised, unless it is breaking your application functionality in some way. Generally, it is advised to leave this protection on as an added precaution for valuable customer information.

Mark Thomas is a Senior Software Engineer for the SpringSource Division of VMware, Inc. (NYSE: VMW). Mark has been using and developing Tomcat for over six years. He first got involved in the development of Tomcat when he needed better control over the SSL configuration than was available at the time. After fixing that first bug, he started working his way through the remaining Tomcat bugs and is still going. Along the way Mark has become a Tomcat committer and PMC member, volunteered to be the Tomcat 4 & 7 release manager, created the Tomcat security pages, become a member of the ASF and joined the Apache Security Committee. He also helps maintain the ASF's Bugzilla instances. Mark has a MEng in Electronic and Electrical Engineering from the University of Birmingham, United Kingdom.


class should be className

I believe it should be className instead of class in the attribute described above for a valve.

Correct. I'll get that

Correct. I'll get that changed.

Problems switching between http and https

My tomcat webapp broke when I tried to upgrade from 6.0.18 to 6.0.32. The webapp uses Active Authentication ( and I followed your tips to disable session fixation, which fixed the problem. Thank you!

I'm wondering if there's a way for me to modify my code so that I can re-enable session fixation and still have logins work successfully. I believe the problem lies in the fact that the webapp uses the struts sslext extension, which redirects the traffic to https during login, and then switches back to http once the credentials have been passed. It seems that the authentication happens successfully with the ssl session, but when switching back to http, the session is no longer authenticated.

Do you have any suggestions?


If I have my custom serlvlet filter autentication(i'm not use basic, form, digest or client cert)...How can I turn on Session Fixation Protection?

Fernando Franzini - Java Blog

Post new comment

This question is for testing whether you are a human visitor and to prevent automated spam submissions.