Author: markt
Date: Mon Jun 20 09:58:37 2016
New Revision: 1749287
URL: http://svn.apache.org/viewvc?rev=1749287&view=rev
Log:
Change the default for Context.sessionCookiePathUsesTrailingSlash from true to
false.
Modified:
tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/context.xml
tomcat/trunk/webapps/docs/security-howto.xml
Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1749287&r1=1749286&r2=1749287&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Mon Jun 20
09:58:37 2016
@@ -696,7 +696,7 @@ public class StandardContext extends Con
* particularly IE, don't send a session cookie for context /foo with
* requests intended for context /foobar.
*/
- private boolean sessionCookiePathUsesTrailingSlash = true;
+ private boolean sessionCookiePathUsesTrailingSlash = false;
/**
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1749287&r1=1749286&r2=1749287&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Jun 20 09:58:37 2016
@@ -67,6 +67,13 @@
attempts during the lock out period will no longer reset the lock out
timer to zero. (markt)
</fix>
+ <update>
+ Change the default of the
+ <code>sessionCookiePathUsesTrailingSlash</code> attribute of the
+ <code>Context</code> element to <code>false</code> since the problems
+ caused when a Servlet is mapped to <code>/*</code> are more significant
+ than the security risk of not enabling this option by default. (markt)
+ </update>
</changelog>
</subsection>
<subsection name="Coyote">
Modified: tomcat/trunk/webapps/docs/config/context.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/context.xml?rev=1749287&r1=1749286&r2=1749287&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/context.xml (original)
+++ tomcat/trunk/webapps/docs/config/context.xml Mon Jun 20 09:58:37 2016
@@ -492,15 +492,23 @@
</attribute>
<attribute name="sessionCookiePathUsesTrailingSlash" required="false">
- <p>Some browsers, such as IE, will send a session cookie for a context
- with a path of /foo with a request to /foobar. To prevent this, Tomcat
- will add a trailing slash to the path associated with the session
cookie
- so, in the above example, the cookie path becomes /foo/. However, with
a
- cookie path of /foo/, IE will no longer send the cookie with a request
- to /foo. This should not be a problem unless there is a servlet mapped
- to /*. In this case this feature will need to be disabled. The default
- value for this attribute is <code>true.</code> To disable this feature,
- set the attribute to <code>false</code>.</p>
+ <p>Some browsers, such as Internet Explorer, Safari and Edge, will send
+ a session cookie for a context with a path of <code>/foo</code> with a
+ request to <code>/foobar</code> in violation of RFC6265. This could
+ expose a session ID from an application deployed at <code>/foo</code>
to
+ an application deployed at <code>/foobar</code>. If the application
+ deployed at <code>/foobar</code> is untrusted, this could create a
+ security risk. However, it should be noted that RFC 6265, section 8.5
+ makes clear that path alone should not be view as sufficient to prevent
+ untrusted applications accessing cookies from other applications. To
+ mitigate this risk, this attribute may bet ste to <code>true</code> and
+ Tomcat will add a trailing slash to the path associated with the
session
+ cookie so, in the above example, the cookie path becomes /foo/.
However,
+ with a cookie path of /foo/, browsers will no longer send the cookie
+ with a request to /foo. This should not be a problem unless there is a
+ servlet mapped to /*. In this case this attribute will need to be set
to
+ <code>false</code> to disable this feature. The default value for this
+ attribute is <code>false</code>.</p>
</attribute>
<attribute name="swallowAbortedUploads" required="false">
Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1749287&r1=1749286&r2=1749287&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Mon Jun 20 09:58:37 2016
@@ -348,6 +348,15 @@
operating systems (this includes Windows) will disable a number of
security measures and allow, among other things, direct access to the
WEB-INF directory.</p>
+
+ <p>The <strong>sessionCookiePathUsesTrailingSlash</strong> can be used to
+ work around a bug in a number of browsers (Internet Explorer, Safari and
+ Edge) to prevent session cookies being exposed across applications when
+ applications share a common path prefix. However, enabling this option
+ can create problems for applications with Servlets mapped to
+ <code>/*</code>. It should also be noted the RFC6265 section 8.5 makes it
+ clear that different paths should not be considered sufficient to isolate
+ cookies from other applications.</p>
</subsection>
<subsection name="Valves">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
