Hi all,
A problem[1] with the default for sessionCookiePathUsesTrailingSlash has
cropped up via $work and after some research I wanted to discuss whether
the default should be changed.
The default for sessionCookiePathUsesTrailingSlash is true to work
around a potential security issue in a number of browsers. I did a quick
test before writing this e-mail and it appears that IE, Edge and Safari
are affected. Together they represent approximately 42% of the current
browser market share[2].
The security issue is that for a cookie path of '/foo', these browsers
include in the cookie when sending requests to '/foobar'. Tomcat
therefore introduced sessionCookiePathUsesTrailingSlash which adds a '/'
to the cookie path so '/foo' becomes '/foo/' since no user agent will
include this in a request to '/foobar'.
However, this can cause problems. To summarise [1], we have:
A user request for '/foo'
A security enforcing filter that uses cookies mapped to '/*'
A web application with a controller servlet mapped to '/*'
The sequence of events is:
- Tomcat receives the request for '/foo'
- Because of the servlet mapped to '/*', Tomcat does not redirect
this to '/foo/'
- The security filter creates a session cookie (path '/foo/')
- The security filter performs authentication which includes
additional requests from the client to '/foo'
- The security filter rejects the authentication because the
subsequent requests do not include the cookie because the path
does not match
RFC 6265, section 4.1.2.4 is clear that cookies with a path of '/foo'
should not be included with requests for '/foobar'. However that same
section also makes clear that cookie paths should not be relied upon for
security. It references RFC 6265 section 8 which provides several
reasons for this in addition to the broken behaviour described above.
Given the problems caused by the current default for
sessionCookiePathUsesTrailingSlash and the warnings in RFC 6265
regarding relying on cookie paths for security, I would like to propose
the following changes:
1. Change the default for sessionCookiePathUsesTrailingSlash to false.
2. Add some explanatory notes to the documentation for
sessionCookiePathUsesTrailingSlash that makes clear that the setting
is:
a) intended to work around broken browser behaviour
b) while it closes one security hole, others are likely to remain
and reference RFC 6265 section 8.
Thoughts?
Mark
[1] https://github.com/grails/grails-core/issues/9024
[2]
https://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0&qpcustom=
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
