atom feed1 message in org.apache.tomcat.usersTomcat & httpd - Avoiding Session Fix...
FromSent OnAttachments
Rich...@f1000.comMar 16, 2010 7:46 am 
Subject:Tomcat & httpd - Avoiding Session Fixation Attacks by using Identity Confirmation
From:Rich...@f1000.com (Rich@f1000.com)
Date:Mar 16, 2010 7:46:59 am
List:org.apache.tomcat.users

I'm trying to avoid session fixation attacks by using Identity Confirmation (invalidating the user's session and creating a new one when they sign in). This works fine when just using Tomcat, however when httpd is handling the requests and forwarding through mod_jk the post signin JSESSIONID is the same as before the user signed in.

I'm using Spring 3.0, which should handle the session invalidation and creation automatically, however it is spitting out the following message: org.springframework.security.web.authentication.session.SessionFixationP rotectionStrategy - Your servlet container did not change the session ID when a new session was created. You will not be adequately protected against session-fixation attacks

I'm using Apache 2.2 and Tomcat 6.0.18.

Has anyone come across this problem? My hunch is that it lies with mod_jk or Apache httpd configuration. This closest thread I found was http://markmail.org/thread/ya5qojmhb5bzmull but it covers only attacks where JSESSIONID was passed in as a parameter, and does not use Identity Confirmation.

Cheers, Richard