Author: markt
Date: Sun Dec 20 01:04:17 2009
New Revision: 892545
URL: http://svn.apache.org/viewvc?rev=892545&view=rev
Log:
Address https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Prevent session fixation by changing session ID on authentication by default
Modified:
tomcat/tc6.0.x/trunk/ (props changed)
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml
Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sun Dec 20 01:04:17 2009
@@ -1,2 +1,2 @@
/tomcat:883362
-/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,770809,77
0876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883146,883177,883362,885038,885991,886019,888072,889363,890349,890417,891583,892198
+/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,770809,77
0876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883146,883177,883362,885038,885991,886019,888072,889363,889716,890349,890417,891583,892198,892415
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sun Dec 20 01:04:17 2009
@@ -322,22 +322,6 @@
+1: markt, rjung
-1:
-* Address https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
- Prevent session fixation by changing session ID on authentication by default
- If you don't like the session ID changing by default, feel free to caveat
your
- vote. If there is suggicient support for the patch but insufficient support
- for changing the ID by default I'll apply the patch with the default set to
- not change the session ID
- http://svn.apache.org/viewvc?rev=889716&view=rev
- +1: markt, jfclere, jim
- -1: kkolinko: -1 if alone, +1 if committed together with rev.892415
- proposed below.
-
- Provide setter for the new AuthenticatorBase property
- http://svn.apache.org/viewvc?rev=892415&view=rev
- +1: kkolinko, rjung, markt
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=43656
Coerce null to zero when target type in Number
http://svn.apache.org/viewvc?rev=890139&view=rev
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/Manager.java Sun Dec 20
01:04:17 2009
@@ -260,6 +260,15 @@
/**
+ * Change the session ID of the current session to a new randomly generated
+ * session ID.
+ *
+ * @param session The session to change the session ID for
+ */
+ public void changeSessionId(Session session);
+
+
+ /**
* Get a session from the recycled ones or create a new empty one.
* The PersistentManager manager does not need to create session data
* because it reads it from the Store.
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Sun Dec 20 01:04:17 2009
@@ -37,6 +37,7 @@
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener;
+import org.apache.catalina.Manager;
import org.apache.catalina.Pipeline;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
@@ -113,6 +114,12 @@
/**
+ * Should the session ID, if any, be changed upon a successful
+ * authentication to prevent a session fixation attack?
+ */
+ protected boolean changeSessionIdOnAuthentication = true;
+
+ /**
* The Context to which this Valve is attached.
*/
protected Context context = null;
@@ -366,6 +373,31 @@
this.securePagesWithPragma = securePagesWithPragma;
}
+ /**
+ * Return the flag that states if we should change the session ID of an
+ * existing session upon successful authentication.
+ *
+ * @return <code>true</code> to change session ID upon successful
+ * authentication, <code>false</code> to do not perform the change.
+ */
+ public boolean getChangeSessionIdOnAuthentication() {
+ return changeSessionIdOnAuthentication;
+ }
+
+ /**
+ * Set the value of the flag that states if we should change the session ID
+ * of an existing session upon successful authentication.
+ *
+ * @param changeSessionIdOnAuthentication
+ * <code>true</code> to change session ID upon successful
+ * authentication, <code>false</code> to do not perform the
+ * change.
+ */
+ public void setChangeSessionIdOnAuthentication(
+ boolean changeSessionIdOnAuthentication) {
+ this.changeSessionIdOnAuthentication = changeSessionIdOnAuthentication;
+ }
+
// --------------------------------------------------------- Public Methods
@@ -499,6 +531,7 @@
*/
return;
}
+
}
if (log.isDebugEnabled()) {
@@ -712,6 +745,13 @@
request.setUserPrincipal(principal);
Session session = request.getSessionInternal(false);
+
+ if (session != null && changeSessionIdOnAuthentication) {
+ Manager manager = request.getContext().getManager();
+ manager.changeSessionId(session);
+ request.changeSessionId(session.getId());
+ }
+
// Cache the authentication information in our session, if any
if (cache) {
if (session != null) {
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java Sun
Dec 20 01:04:17 2009
@@ -2234,6 +2234,50 @@
/**
+ * Change the ID of the session that this request is associated with. There
+ * are several things that may trigger an ID change. These include moving
+ * between nodes in a cluster and session fixation prevention during the
+ * authentication process.
+ *
+ * @param session The session to change the session ID for
+ */
+ public void changeSessionId(String newSessionId) {
+ // This should only ever be called if there was an old session ID but
+ // double check to be sure
+ if (requestedSessionId != null && requestedSessionId.length() > 0) {
+ requestedSessionId = newSessionId;
+ }
+
+ if (context != null && !context.getCookies())
+ return;
+
+ if (response != null) {
+ Cookie newCookie = new Cookie(Globals.SESSION_COOKIE_NAME,
+ newSessionId);
+ newCookie.setMaxAge(-1);
+ String contextPath = null;
+ if (!response.getConnector().getEmptySessionPath()
+ && (context != null)) {
+ contextPath = context.getEncodedPath();
+ }
+ if ((contextPath != null) && (contextPath.length() > 0)) {
+ newCookie.setPath(contextPath);
+ } else {
+ newCookie.setPath("/");
+ }
+ if (isSecure()) {
+ newCookie.setSecure(true);
+ }
+ if (context == null) {
+ response.addCookieInternal(newCookie, false);
+ } else {
+ response.addCookieInternal(newCookie, context.getUseHttpOnly());
+ }
+ }
+ }
+
+
+ /**
* Return the session associated with this Request, creating one
* if necessary and requested.
*
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
Sun Dec 20 01:04:17 2009
@@ -402,9 +402,8 @@
* new session id for node migration
*/
protected void changeRequestSessionID(Request request, Response response,
String sessionId, String newSessionID) {
- request.setRequestedSessionId(newSessionID);
- if(request.isRequestedSessionIdFromCookie())
- setNewSessionCookie(request, response,newSessionID);
+ request.changeSessionId(newSessionID);
+
// set orginal sessionid at request, to allow application detect the
// change
if (sessionIdAttribute != null && !"".equals(sessionIdAttribute)) {
@@ -447,6 +446,8 @@
* @param request current request
* @param response Tomcat Response
* @param sessionId The session id
+ *
+ * @deprecated Use {...@link Request#changeSessionId(String)}
*/
protected void setNewSessionCookie(Request request,
Response response, String sessionId) {
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java Sun
Dec 20 01:04:17 2009
@@ -924,6 +924,17 @@
}
+ /**
+ * Change the session ID of the current session to a new randomly generated
+ * session ID.
+ *
+ * @param session The session to change the session ID for
+ */
+ public void changeSessionId(Session session) {
+ session.setId(generateSessionId());
+ }
+
+
// ------------------------------------------------------ Protected Methods
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Dec 20 01:04:17 2009
@@ -86,7 +86,11 @@
</fix>
<fix>
<bug>44943</bug>: Use the same engine name in server.xml comments to
- reduce copy and pastes issues. (markt, kkolinko)
+ reduce copy and pastes issues. (markt/kkolinko)
+ </fix>
+ <fix>
+ <bug>45255</bug>: Provide protection against session fixation by
+ changing session ID automatically on authentication. (markt/kkolinko)
</fix>
<fix>
<bug>45403</bug>: Add additional checks on web application deployment
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml?rev=892545&r1=892544&r2=892545&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/valve.xml Sun Dec 20 01:04:17 2009
@@ -436,6 +436,13 @@
<strong>org.apache.catalina.authenticator.BasicAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session
fixation
+ attacks. If not set, the default value of <code>true</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="disableProxyCaching" required="false">
<p>Controls the caching of pages that are protected by security
constraints. Setting this to <code>false</code> may help work around
@@ -488,6 +495,13 @@
<strong>org.apache.catalina.authenticator.DigestAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session
fixation
+ attacks. If not set, the default value of <code>true</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="disableProxyCaching" required="false">
<p>Controls the caching of pages that are protected by security
constraints. Setting this to <code>false</code> may help work around
@@ -540,6 +554,13 @@
<strong>org.apache.catalina.authenticator.FormAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session
fixation
+ attacks. If not set, the default value of <code>true</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="characterEncoding" required="false">
<p>Character encoding to use to read the username and password
parameters
from the request. If not set, the encoding of the request body will be
@@ -598,6 +619,13 @@
<strong>org.apache.catalina.authenticator.SSLAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session
fixation
+ attacks. If not set, the default value of <code>true</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="disableProxyCaching" required="false">
<p>Controls the caching of pages that are protected by security
constraints. Setting this to <code>false</code> may help work around
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
