Turning Off Session Fixation Protection in Tomcat 7


News: Turning Off Session Fixation Protection in Tomcat 7

  1. Session fixation protection is a new security feature added as a result of the Tomcat 7 release effort and added to all versions from 6.0.21 onwards. Session fixation happens when an attacker sends a real URL with a session ID attached to a user for a business, say a bank, where they have an account. The minute the victim logs in using that URL, the session becomes validated and the attacker can simply click the link and have full access to the victims account and potentially money.

    The Apache Security Team devised a simple fix by automatically changing the ID of a session randomly upon authentication. The original session ID is not destroyed, but it can no longer be found authenticated by that ID. As it is turned on by default, the entire configuration is implicit and can not be found by browsing the context.xml file. 

    To turn it off, explains Mark Thomas, Tomcat 7 release manager, explains today in an article on Tomcatexpert.com:

    If you do not wish to use this protection, you need to modify the configuration of the internal valve in Tomcat that does the authentication.

    Normally you do not see this valve in a server.xml or context.xml file. As soon as you configure a web application with authentication, whether its basic, form, digest or client cert, Tomcat will automatically insert the appropriate authentication valve into your configuration. To turn it off, rather than relying on Tomcat’s implicit configuration, you will need to add it explicitly.

    So, if you were using basic authentication, you would need to navigate to the context.xml file for your application (not $CATALINA_BASE/conf/context.xml - that is the global context.xml that provides defaults for all web applications) and add a valve using class="org.apache.catalina.authenticator.BasicAuthenticator" and also set the parameter changeSessionIdOnAuthentication="false".  For more information on the various valves and classes needed, please see the Apache Tomcat Valve Configuration documentation.

    Warning: Turning off Session Fixation Protection is not recommended as it leaves your application vulnerable to these types of attacks, however in some cases it may break application functionality and must be turned off until the application can be fixed to handle this protection.


  2. Session Fixation for Tomcat 7[ Go to top ]

    Hi there, I read your article on the Session Fixation for Tomcat 7 and would like to have a sample definition of a Valve setup for the same. The tomcat assigns a different session ID to each request as expected, but I end up getting a "null" value for session.getID(). Any help on this would be great. Thanks in advance. Cheers, Utsav