https://issues.apache.org/bugzilla/show_bug.cgi?id=51284
Bug #: 51284
Summary: Session Fixation is solved without an invalidating of
an existing HTTP session
Product: Tomcat 6
Version: 6.0.29
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: michael_fur...@hotmail.com
Classification: Unclassified
Created attachment 27083
--> https://issues.apache.org/bugzilla/attachment.cgi?id=27083
The AuthenticatorBase.java file with fix that invalidating of an existing HTTP
session after an authentication
Session Fixation Vulnerability is solved recently in Tomcat 6 and in Tomcat 7.
Unfortunately, Session Fixation is solved without an invalidating of an
existing HTTP session.
I do agree, that generation of new session ID solves many Session Fixation
attacks.
Any case, an advanced attacker is able to put a vulnerable object in a known
HTTP session and then force the session on a user.
Please not that in this case the HTTP session will have new ID and an attacker
will not be able to access the session from a client. Any case, with the
vulnerable object in the session he can access to other object and may be even
to send it remotely.
I do recommend to change the implementation and to invalidate the existing HTTP
session after the authentication.
Please find attached code with a fix. I tested this code in my development
environment.
Best regards,
Michael
Security Architect
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
