TomcatExpert

Session Fixation Protection

posted by mthomas on April 25, 2011 06:30 AM

A common practice these days in email marketing is to provide users with custom links that direct them quickly to their own account, and streamline the number of steps needed to sign up for additional services or address outdated or invalid account information. This is great for company relationships with their customers, however it is somewhat easily exploited.

A simple scenario

Mary and Bob both have accounts with the same bank. Mary is not very internet savvy, and Bob is. Bob sends Mary a link that is plainly seen to be their bank’s address and attaches a session ID (http://www.foobank.com/?SID=BOB_KNOWS_THE_ID). Mary sees its one of the bank’s URLs, and clicks it, logs in with her username and password. As soon as she does that, Bob is able to also click that link and the session is now validated so he has full access to all her account information and money!

There are more complex scenarios documented across the web. Some additional easy to understand examples can be found on Wikipedia. Reality is that there are several things Mary could do to be more educated and protect herself, but consumers are hard to educate perfectly. In turn, companies—especially ones that rely on authenticated sessions to service their customers—must protect their customers from these types of attacks.

Session Fixation Protection

A new security feature for Apache Tomcat 7 is Session Fixation Protection. Essentially, when a user authenticates their session, Tomcat will change the session ID. It does not destroy the previous session, rather it renames it so it is no longer found by that ID. So in our example above, Bob would try and log on with that session, and he would not be able to find it.

Turning off Session Fixation Protection

Session fixation protection is turned on by default in all Apache Tomcat 7 versions and from Apache Tomcat 6.0.21 on. If you do not wish to use this protection, you need to modify the configuration of the internal valve in Tomcat that does the authentication.

Normally you do not see this valve in a server.xml or context.xml file. As soon as you configure a web application with authentication, whether its basic, form, digest or client cert, Tomcat will automatically insert the appropriate authentication valve into your configuration. To turn it off, rather than relying on Tomcat’s implicit configuration, you will need to add it explicitly.

So, if you were using basic authentication, you would need to navigate to the context.xml file for your application (not $CATALINA_BASE/conf/context.xml - that is the global context.xml that provides defaults for all web applications) and add a valve using className="org.apache.catalina.authenticator.BasicAuthenticator" and also set the parameter changeSessionIdOnAuthentication="false".  For more information on the various valves and classes needed, please see the Apache Tomcat Valve Configuration documentation.

When to Disable Session Fixation

The ASF Security Team deemed this a basic enough protection to make it by default turned on in Tomcat 7. Turning it off is not generally advised, unless it is breaking your application functionality in some way. Generally, it is advised to leave this protection on as an added precaution for valuable customer information.

Mark Thomas is a Senior Software Engineer for the SpringSource Division of VMware, Inc. (NYSE: VMW). Mark has been using and developing Tomcat for over six years. He first got involved in the development of Tomcat when he needed better control over the SSL configuration than was available at the time. After fixing that first bug, he started working his way through the remaining Tomcat bugs and is still going. Along the way Mark has become a Tomcat committer and PMC member, volunteered to be the Tomcat 4 & 7 release manager, created the Tomcat security pages, become a member of the ASF and joined the Apache Security Committee. He also helps maintain the ASF's Bugzilla instances. Mark has a MEng in Electronic and Electrical Engineering from the University of Birmingham, United Kingdom.

Comments

class should be className

I believe it should be className instead of class in the attribute described above for a valve.

Correct. I'll get that

Correct. I'll get that changed.

Problems switching between http and https

My tomcat webapp broke when I tried to upgrade from 6.0.18 to 6.0.32. The webapp uses Active Authentication (http://www2.sys-con.com/ITSG/virtualcd/Java/archives/0808/beck/index.html) and I followed your tips to disable session fixation, which fixed the problem. Thank you!

I'm wondering if there's a way for me to modify my code so that I can re-enable session fixation and still have logins work successfully. I believe the problem lies in the fact that the webapp uses the struts sslext extension, which redirects the traffic to https during login, and then switches back to http once the credentials have been passed. It seems that the authentication happens successfully with the ssl session, but when switching back to http, the session is no longer authenticated.

Do you have any suggestions?

Question

If I have my custom serlvlet filter autentication(i'm not use basic, form, digest or client cert)...How can I turn on Session Fixation Protection?

Fernando Franzini - Java Blog

Fondée en 1860, TAG Heuer a

Fondée en 1860, TAG Heuer a été le pionnier, maîtrisé et dominé le calendrier et chronographes de haute fréquence depuis 1916, l'année Charles-Août Heuer introduit les 1 / 100e Mikrograph replique montres tag Heuer. Avec le Calibre 360 en 2005, TAG Heuer a présenté le premier-jamais-bracelet mécanique mesure de chronographe et affichage de 1 / 100e de seconde. En Janvier 2011, Replique Rolex Montre est allé plus loin avec l'Heuer Carrera Mikrograph 1 / 100e seconde Chronographe, le tout premier chronographe-bracelet mécanique avec une aiguille centrale foudroyante affichage de 1 / 100e de seconde.

Blog Commenting Service

So it is interesting and very good written and see what they think about other people.
Blog Commenting Service

Love Traction Lines Review

I simply want to tell you that I am new to weblog and definitely liked this blog site. Very likely I’m going to bookmark your blog . You absolutely have wonderful stories. Cheers for sharing with us your blog.
Love Traction Lines

Love Traction

It is very good, but look at the information at this address.
Love Traction Lines

Blue Berry Wave

It is somewhat fantastic, and yet check out the advice at this treat.
Data management

Sensor Works

It is very good, but look at the information at this address.
sensor-works

Elk Grove Carpet Cleaning

Why do only so much written on this subject? Here you see more.
"elk grove carpet cleaning"

jackson

May very well just launched some blog page, the knowledge most people furnish on this internet site seems to have made it easier everybody vastly. Thanks a lot for the purpose of your personal instance & give good results.
mydebtconsolidationplan.com

I just check out your article

I just check out your article and I found it is very informative, here having a lot of information having this essay writing service review should be the one of the best site. Actually I nee this type articles.

Pregnancy Pillow

On my website you'll see similar texts, write what you think.
"Pregnancy Pillow"

Spartagen XT Reviews

This is very interesting, but it is necessary to click on this link:
getfreestuffonlinenow Spartagen XT coupons

Flights | Tickets To Pakistan

I use basically superior fabrics : you will discover these products by:
tickets to pakistan

Your Watch Your Style

On this page, you'll see my profile, please read this information.
visit my page

SEO Orange County | California Drug Alcohol

order Listed here you'll learn it is important, them offers the link in an helpful webpage: order

Dentist Palm Harbor | Superior Chiropractor California

dentistry dunedin, fl its really fantastic blog . its realy informational and a such a good job. i love this chiropractor yorba linda ca

Affordable Web Design In London

Why do only so much written on this subject? Here you see more.
web developers london

In this particular article,

In this particular article, you will see a summary, satisfy browse this post.
how to get a girl that sees you as a friend

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.