https://issues.apache.org/bugzilla/show_bug.cgi?id=51631
--- Comment #5 from Michael <michael_fur...@hotmail.com> 2011-08-08 10:41:48
UTC ---
(In reply to comment #2)
> Full file patches, especially when against old old version of the code, are a
> complete pain to work with. That is why patches should be provided in diff -u
> format. As far as I can tell, the attached patch adds a setter and getter for
> alwaysUseSession.
>
> The getter and setter are clearly missing so adding them is a good thing to
> do.
> I'll get that done for 7.0.x and 6.0.x.
>
> I fail to see how the session fixation protection is triggering session data
> loss. All it ever does is change the session ID, if a session already exists.
> It never, ever, creates a new session. For example, Tomcat's Manager
> application uses BASIC authentication and does not experience the problem
> described here.
>
> At the moment, this looks like an application issue that should be explored on
> the users list. If that discussion identifies a Tomcat bug then this issue can
> be re-opened and an explanation provided as to how to reproduce this issue.
I not agree that it is application issue - It is security issue.
How to simulate it?
You just need to use Basic Authentication and to protect some resource that
creates a session. For example JSP file (JSP file by default create a session).
What will happens?
1) The Basic authenticator will authenticate a user without creating a session
2) Request will come to JSP that will create a session and put some information
in the session
3) Next request to the same resource: The Basic authenticator will authenticate
a request once again, since the principal does not exists in the request and
finally it will call to the register method.
4) In the register method session will be replaced by the following lines:
if (session != null) {
if (changeSessionIdOnAuthentication) {
Manager manager = request.getContext().getManager();
manager.changeSessionId(session);
request.changeSessionId(session.getId());
}
}
5) Application (JSP) lose everything that it put in the session
How to prevent a problem?
If an application uses session and want to use authentication that does not use
a session - it is required to enforce a session creation by authenticator.
So, it is required to use the variable not for performance - but to prevent
session loose.
Please tell me what you think.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
