Tomcat 7 新特性学习之二 改变JSessionID来防止固定SessionID攻击

一个固定的Session攻击通常发生在以下情况：

1.恶意用户访问一个web site，这个JSessionID被保存在浏览器的cookie里面，即便用户并没有登录改网站。这种情况下，他就可以伪造一个带有该JsessionID的URL，并发送给受害者。（例如， http://example.com/login?JESSIONID=qwerty)

 

2.受害者点这个带有jsessionid的URL，提示输入验证信息之后就登陆系统。

 

3.攻击者现在使用这个带jsessionid的链接，以受害者的身份登陆进系统了。

 

It is trivial for the attacker to add a jsessionid in the URL as well as to send it in the header using a malicious form. (For a full description of session fixation attacks, read the whitepaper "Session Fixation Vulnerability in Web-based Applications " from Acros Security.)

The solution implemented by the Tomcat team is a patch that changes the jsessionid after authentication. This patch has been applied to Tomcat 7 and has also been backported to Tomcat 5 and 6 with some differences.

According to Mark Thomas , the results of this patch in Tomcat 7 are:

• Tomcat is not vulnerable by default because the session ID changes upon authentication.
• If this default is changed by the user (e.g. because the application can't handle a changing session ID), then the risks may be minimized by disabling session tracking via URL (a new feature in Servlet 3).

And in Tomcat 5 and 6, the results of the patch are:

• Session fixation attacks can be prevented by enabling Tomcat to change the session ID on authentication (if there is insufficient support for this to be enabled by default).
• If the application can't handle a changing session ID then the risks may be minimized by writing a custom filter that checks request.isRequestedSessionIdFromURL() and responds accordingly (e.g. rejecting the request).

The above changes work transparently behind the scenes; the developer does not have to do anything. The users session (jsessionid) is changed after login. This completely prevents session fixation attacks