Author: markt
Date: Wed Mar 3 23:11:30 2010
New Revision: 918761
URL: http://svn.apache.org/viewvc?rev=918761&view=rev
Log:
Address https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
Prevent session fixation by providing option (disabled by default) to change
session ID on authentication
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/Manager.java
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/connector/Request.java
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/ManagerBase.java
tomcat/tc5.5.x/trunk/container/modules/cluster/src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java
tomcat/tc5.5.x/trunk/container/modules/ha/src/share/org/apache/catalina/ha/session/JvmRouteBinderValve.java
tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
tomcat/tc5.5.x/trunk/container/webapps/docs/config/valve.xml
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=918761&r1=918760&r2=918761&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Wed Mar 3 23:11:30 2010
@@ -100,26 +100,6 @@
+1: markt, rjung
-1:
-* Address https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
- Prevent session fixation by changing session ID on authentication by default
- If you don't like the session ID changing by default, feel free to caveat
your
- vote. If there is sufficient support for the patch but insufficient support
- for changing the ID by default I'll apply the patch with the default set to
- not change the session ID
- http://svn.apache.org/viewvc?rev=889716&view=rev
- +1: markt, rjung
- +1: kkolinko: with r892415
- -1:
- rjung: I'd prefer off by default, because 5.5 is assumed to be very stable,
- and changing by default can break things like e.g. existing profiles for
- automated stress testing.
- kkolinko: I agree to have off by default
-
- Provide setter for the new AuthenticatorBase property
- http://svn.apache.org/viewvc?rev=892415&view=rev
- +1: markt, kkolinko, rjung
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47963
Prevent use of non-RFC2616 compliant custom status messages
http://svn.apache.org/viewvc?view=revision&revision=892777
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/Manager.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/Manager.java?rev=918761&r1=918760&r2=918761&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/Manager.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/Manager.java
Wed Mar 3 23:11:30 2010
@@ -260,6 +260,15 @@
/**
+ * Change the session ID of the current session to a new randomly generated
+ * session ID.
+ *
+ * @param session The session to change the session ID for
+ */
+ public void changeSessionId(Session session);
+
+
+ /**
* Get a session from the recycled ones or create a new empty one.
* The PersistentManager manager does not need to create session data
* because it reads it from the Store.
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=918761&r1=918760&r2=918761&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
Wed Mar 3 23:11:30 2010
@@ -37,6 +37,7 @@
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener;
+import org.apache.catalina.Manager;
import org.apache.catalina.Pipeline;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
@@ -113,6 +114,12 @@
/**
+ * Should the session ID, if any, be changed upon a successful
+ * authentication to prevent a session fixation attack?
+ */
+ protected boolean changeSessionIdOnAuthentication = false;
+
+ /**
* The Context to which this Valve is attached.
*/
protected Context context = null;
@@ -366,6 +373,31 @@
this.securePagesWithPragma = securePagesWithPragma;
}
+ /**
+ * Return the flag that states if we should change the session ID of an
+ * existing session upon successful authentication.
+ *
+ * @return <code>true</code> to change session ID upon successful
+ * authentication, <code>false</code> to do not perform the change.
+ */
+ public boolean getChangeSessionIdOnAuthentication() {
+ return changeSessionIdOnAuthentication;
+ }
+
+ /**
+ * Set the value of the flag that states if we should change the session ID
+ * of an existing session upon successful authentication.
+ *
+ * @param changeSessionIdOnAuthentication
+ * <code>true</code> to change session ID upon successful
+ * authentication, <code>false</code> to do not perform the
+ * change.
+ */
+ public void setChangeSessionIdOnAuthentication(
+ boolean changeSessionIdOnAuthentication) {
+ this.changeSessionIdOnAuthentication = changeSessionIdOnAuthentication;
+ }
+
// --------------------------------------------------------- Public Methods
@@ -499,6 +531,7 @@
*/
return;
}
+
}
if (log.isDebugEnabled()) {
@@ -715,6 +748,13 @@
request.setUserPrincipal(principal);
Session session = request.getSessionInternal(false);
+
+ if (session != null && changeSessionIdOnAuthentication) {
+ Manager manager = request.getContext().getManager();
+ manager.changeSessionId(session);
+ request.changeSessionId(session.getId());
+ }
+
// Cache the authentication information in our session, if any
if (cache) {
if (session != null) {
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/connector/Request.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/connector/Request.java?rev=918761&r1=918760&r2=918761&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/connector/Request.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/connector/Request.java
Wed Mar 3 23:11:30 2010
@@ -2167,6 +2167,50 @@
/**
+ * Change the ID of the session that this request is associated with. There
+ * are several things that may trigger an ID change. These include moving
+ * between nodes in a cluster and session fixation prevention during the
+ * authentication process.
+ *
+ * @param session The session to change the session ID for
+ */
+ public void changeSessionId(String newSessionId) {
+ // This should only ever be called if there was an old session ID but
+ // double check to be sure
+ if (requestedSessionId != null && requestedSessionId.length() > 0) {
+ requestedSessionId = newSessionId;
+ }
+
+ if (context != null && !context.getCookies())
+ return;
+
+ if (response != null) {
+ Cookie newCookie = new Cookie(Globals.SESSION_COOKIE_NAME,
+ newSessionId);
+ newCookie.setMaxAge(-1);
+ String contextPath = null;
+ if (!response.getConnector().getEmptySessionPath()
+ && (context != null)) {
+ contextPath = context.getEncodedPath();
+ }
+ if ((contextPath != null) && (contextPath.length() > 0)) {
+ newCookie.setPath(contextPath);
+ } else {
+ newCookie.setPath("/");
+ }
+ if (isSecure()) {
+ newCookie.setSecure(true);
+ }
+ if (context == null) {
+ response.addCookieInternal(newCookie, false);
+ } else {
+ response.addCookieInternal(newCookie, context.getUseHttpOnly());
+ }
+ }
+ }
+
+
+ /**
* Return the session associated with this Request, creating one
* if necessary and requested.
*
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/ManagerBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/ManagerBase.java?rev=918761&r1=918760&r2=918761&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/ManagerBase.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/ManagerBase.java
Wed Mar 3 23:11:30 2010
@@ -936,6 +936,17 @@
}
+ /**
+ * Change the session ID of the current session to a new randomly generated
+ * session ID.
+ *
+ * @param session The session to change the session ID for
+ */
+ public void changeSessionId(Session session) {
+ session.setId(generateSessionId());
+ }
+
+
// ------------------------------------------------------ Protected Methods
Modified:
tomcat/tc5.5.x/trunk/container/modules/cluster/src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/modules/cluster/src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java?rev=918761&r1=918760&r2=918761&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/modules/cluster/src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java
(original)
+++
tomcat/tc5.5.x/trunk/container/modules/cluster/src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java
Wed Mar 3 23:11:30 2010
@@ -406,9 +406,8 @@
* new session id for node migration
*/
protected void changeRequestSessionID(Request request, Response response,
String sessionId, String newSessionID) {
- request.setRequestedSessionId(newSessionID);
- if(request.isRequestedSessionIdFromCookie())
- setNewSessionCookie(request, response,newSessionID);
+ request.changeSessionId(newSessionID);
+
// set orginal sessionid at request, to allow application detect the
// change
if (sessionIdAttribute != null && !"".equals(sessionIdAttribute)) {
@@ -451,6 +450,8 @@
* @param request current request
* @param response Tomcat Response
* @param sessionId The session id
+ *
+ * @deprecated Use {...@link Request#changeSessionId(String)}
*/
protected void setNewSessionCookie(Request request,
Response response, String sessionId) {
Modified:
tomcat/tc5.5.x/trunk/container/modules/ha/src/share/org/apache/catalina/ha/session/JvmRouteBinderValve.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/modules/ha/src/share/org/apache/catalina/ha/session/JvmRouteBinderValve.java?rev=918761&r1=918760&r2=918761&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/modules/ha/src/share/org/apache/catalina/ha/session/JvmRouteBinderValve.java
(original)
+++
tomcat/tc5.5.x/trunk/container/modules/ha/src/share/org/apache/catalina/ha/session/JvmRouteBinderValve.java
Wed Mar 3 23:11:30 2010
@@ -406,9 +406,8 @@
* new session id for node migration
*/
protected void changeRequestSessionID(Request request, Response response,
String sessionId, String newSessionID) {
- request.setRequestedSessionId(newSessionID);
- if(request.isRequestedSessionIdFromCookie())
- setNewSessionCookie(request, response,newSessionID);
+ request.changeSessionId(newSessionID);
+
// set orginal sessionid at request, to allow application detect the
// change
if (sessionIdAttribute != null && !"".equals(sessionIdAttribute)) {
@@ -451,6 +450,8 @@
* @param request current request
* @param response Tomcat Response
* @param sessionId The session id
+ *
+ * @deprecated Use {...@link Request#changeSessionId(String)}
*/
protected void setNewSessionCookie(Request request,
Response response, String sessionId) {
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=918761&r1=918760&r2=918761&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Wed Mar 3
23:11:30 2010
@@ -85,6 +85,11 @@
<bug>41059</bug>: Reduce the chances of errors when using
ENABLE_CLEAR_REFERENCES. Patch by Curt Arnold. (markt)
</fix>
+ <add>
+ <bug>45255</bug>: Add the ability to change session ID on
+ authentication to protect against session fixation attacks. This is
+ disabled by default. (markt/kkolinko)
+ </add>
<fix>
<bug>46967</bug>: Better handling of errors when trying to use
Manager.randomFile. Based on a patch by Kirk Wolf. (kkolinko)
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/config/valve.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/config/valve.xml?rev=918761&r1=918760&r2=918761&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/config/valve.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/config/valve.xml Wed Mar 3
23:11:30 2010
@@ -435,6 +435,13 @@
<strong>org.apache.catalina.authenticator.BasicAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session
fixation
+ attacks. If not set, the default value of <code>false</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="disableProxyCaching" required="false">
<p>Controls the caching of pages that are protected by security
constraints. Setting this to <code>false</code> may help work around
@@ -487,6 +494,13 @@
<strong>org.apache.catalina.authenticator.DigestAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session
fixation
+ attacks. If not set, the default value of <code>false</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="disableProxyCaching" required="false">
<p>Controls the caching of pages that are protected by security
constraints. Setting this to <code>false</code> may help work around
@@ -539,6 +553,13 @@
<strong>org.apache.catalina.authenticator.FormAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session
fixation
+ attacks. If not set, the default value of <code>false</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="characterEncoding" required="false">
<p>Character encoding to use to read the username and password
parameters
from the request. If not set, the encoding of the request body will be
@@ -597,6 +618,13 @@
<strong>org.apache.catalina.authenticator.SSLAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session
fixation
+ attacks. If not set, the default value of <code>false</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="disableProxyCaching" required="false">
<p>Controls the caching of pages that are protected by security
constraints. Setting this to <code>false</code> may help work around
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
