DO NOT REPLY [Bug 41217] New: - SingleSignOn Cookie does not honor https access: Login Information Disclosure

Wed, 20 Dec 2006 05:13:55 -0800 

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41217>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41217

           Summary: SingleSignOn Cookie does not honor https access: Login
                    Information Disclosure
           Product: Tomcat 5
           Version: 5.5.20
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: [EMAIL PROTECTED]


When using the SingleSignOn Valve
(org.apache.catalina.authenticator.SingleSignOn) via https the Cookie
JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it
being transmitted to any content that is - by purpose or error - requested via
http from the same server. 

As the content of the SSO-Cookie is confidential (it will lead to automatically
logged in sessions in other contexts - https or non-https) this should never 
happen.

Sorry to have no patch. I've not installed the complete source distribution in
my development environment, but it seems the points to change are 
org.apache.catalina.authenticator.AuthenticatorBase.register(...), the code of
interest being (from 5.5.30 source distribution)

            Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, ssoId);
            cookie.setMaxAge(-1);
            cookie.setPath("/");
            hres.addCookie(cookie);

As hres is an org.apache.catalina.HttpRequest, and I've looked through the code
to find org.apache.catalina.Request.setSecure() but no ...isSecure() (though
this is mentioned in the Javadoc for ...setSecure()) I suppose there needs to be
another change to provide isSecure on Request or HttpRequest, but this is
difficult to tell only from the editor.
If isSecure() was there, there'd be a 
            cookie.setSecure(hres.isSecure()) 
missing in the statements above...

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to