On 15/06/2016 11:59, Rémy Maucherat wrote: > 2016-06-15 12:31 GMT+02:00 Mark Thomas <ma...@apache.org>: > >> Hi all, >> >> A problem[1] with the default for sessionCookiePathUsesTrailingSlash has >> cropped up via $work and after some research I wanted to discuss whether >> the default should be changed. >> >> The default for sessionCookiePathUsesTrailingSlash is true to work >> around a potential security issue in a number of browsers. I did a quick >> test before writing this e-mail and it appears that IE, Edge and Safari >> are affected. Together they represent approximately 42% of the current >> browser market share[2]. >> >> The security issue is that for a cookie path of '/foo', these browsers >> include in the cookie when sending requests to '/foobar'. Tomcat >> therefore introduced sessionCookiePathUsesTrailingSlash which adds a '/' >> to the cookie path so '/foo' becomes '/foo/' since no user agent will >> include this in a request to '/foobar'. >> >> However, this can cause problems. To summarise [1], we have: >> A user request for '/foo' >> A security enforcing filter that uses cookies mapped to '/*' >> A web application with a controller servlet mapped to '/*' >> >> The sequence of events is: >> - Tomcat receives the request for '/foo' >> - Because of the servlet mapped to '/*', Tomcat does not redirect >> this to '/foo/' >> - The security filter creates a session cookie (path '/foo/') >> - The security filter performs authentication which includes >> additional requests from the client to '/foo' >> - The security filter rejects the authentication because the >> subsequent requests do not include the cookie because the path >> does not match >> >> RFC 6265, section 4.1.2.4 is clear that cookies with a path of '/foo' >> should not be included with requests for '/foobar'. However that same >> section also makes clear that cookie paths should not be relied upon for >> security. It references RFC 6265 section 8 which provides several >> reasons for this in addition to the broken behaviour described above. >> >> Given the problems caused by the current default for >> sessionCookiePathUsesTrailingSlash and the warnings in RFC 6265 >> regarding relying on cookie paths for security, I would like to propose >> the following changes: >> 1. Change the default for sessionCookiePathUsesTrailingSlash to false. >> 2. Add some explanatory notes to the documentation for >> sessionCookiePathUsesTrailingSlash that makes clear that the setting >> is: >> a) intended to work around broken browser behaviour >> b) while it closes one security hole, others are likely to remain >> and reference RFC 6265 section 8. >> >> Thoughts? >> > +1
OK. I'll get this done shortly. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
