https://issues.apache.org/bugzilla/show_bug.cgi?id=55521
            Bug ID: 55521
           Summary: Race Condition in HttpSession#invalidate() /
                    HttpServletRequest#getSession(boolean)
           Product: Tomcat 7
           Version: 7.0.40
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Servlet & JSP API
          Assignee: dev@tomcat.apache.org
          Reporter: christoph.lud...@haufe-lexware.com

Created attachment 30798
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=30798&action=edit
code flow that exhibits the race condition

For session fixation protection, we have to discard a user's session and create
a new one whenever the user's login state changes. For this we rely on Spring
Security's SessionFixationProtectionStrategy that, at its core, uses the
following commands:

  session.invalidate();
  session = request.getSession(true);

Yesterday, we had a message in the log that indicates the latter command
returned the same session that was invalidated in the line before:
"Your servlet container did not change the session ID when a new session was
created. You will not be adequately protected against session-fixation attacks
(catalina-exec-339,
org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy,
SessionFixationProtectionStrategy.java:102)"

When I investigated this issue, I found there is in fact a race condition if
two threads (associated with requests from the same client) enter the session
fixation protection code in parallel. I attached a TXT file that illustrates
the code flow that leads to the race condition: When thread B calls
session.invalidate(), the call returns immediately becuase the session is
already in the "expiring" state. Since the session is not invalid yet, the call
to request.getSession(true) won't create a new session, though. So in effect,
thread B cannot obtain a new session.

The documentation at http://tomcat.apache.org/tomcat-7.0-doc/servletapi/ has no
indication that a session may not yet be invalid when session.invalidate()
returns. The session interface neither provides a way to detect "expiring"
session.

The error message appears only once in the production log files that go some
weeks back, so it seems to be an infrequent event. Nevertheless, it should be
possible to implement session fixation without a race condition.

Regards
Christoph

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to