Monday, June 02, 2008

Tomcat Authentication Session Fixation Issues

I recently worked on a project that was using Tomcat's authentication and realms to manage user access and authentication. Part of the project was to pass the client's internal security audit. It was noted during the audit that Tomcat's built-in authentication is susceptible to a basic session fixation attack.

For details on session fixation, see this link.

Here is a breakdown of what was happening in our project...

- User accesses protected URL
- Tomcat creates session and saves user's original URL to session.
- User is redirected to login page
- User authenticates *
- User is redirected to error page or original URL depending on success of authentication.

The problem is that the session id is not regenerated after the user is successfully authenticated (* above). The issue we had is very similar to what was detailed here.

In our setup we were using Tomcat 6.0.13 with form authentication and an LDAP realm.

The fix, which is also detailed on the link above, was to build a Valve that intercepts access to j_security_check and regenerates the session id before each login attempt (success or failure).

Everything was pretty simple, the only trick was that Java doesn't have a method to regenerate the session id so you have to save all the session variables, destroy the session, and then create a new session.

Here is a link to the deployed Valve.

Feel free to post any comments or suggestions.