|Summary:||SingleSignOn Cookie does not honor https access: Login Information Disclosure|
|Product:||Tomcat 5||Reporter:||Olaf Kock <asf-bugzilla-2006>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
|Attachments:||Patch to set secure flag on SSO cookie when requested over https|
Description Olaf Kock 2006-12-20 05:13:27 UTC
When using the SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it being transmitted to any content that is - by purpose or error - requested via http from the same server. As the content of the SSO-Cookie is confidential (it will lead to automatically logged in sessions in other contexts - https or non-https) this should never happen. Sorry to have no patch. I've not installed the complete source distribution in my development environment, but it seems the points to change are org.apache.catalina.authenticator.AuthenticatorBase.register(...), the code of interest being (from 5.5.30 source distribution) Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, ssoId); cookie.setMaxAge(-1); cookie.setPath("/"); hres.addCookie(cookie); As hres is an org.apache.catalina.HttpRequest, and I've looked through the code to find org.apache.catalina.Request.setSecure() but no ...isSecure() (though this is mentioned in the Javadoc for ...setSecure()) I suppose there needs to be another change to provide isSecure on Request or HttpRequest, but this is difficult to tell only from the editor. If isSecure() was there, there'd be a cookie.setSecure(hres.isSecure()) missing in the statements above...
Comment 1 Chris Halstead 2007-01-11 17:15:31 UTC
Created attachment 19397 [details] Patch to set secure flag on SSO cookie when requested over https There is an isSecure() method available in the Request object used by AuthenticatorBase...not sure why you couldn't find it. Attaching a patch that sets the secure flag on the SSO cookie when accessed via https.
Comment 2 Mark Thomas 2007-01-13 19:19:17 UTC
This has been fixed in svn. Many thanks for the patch. The fix will be in 5.5.21 onwards.
Comment 3 Olaf Kock 2007-01-22 02:03:09 UTC
Thanks for the fix - I believe I did not see the Request method because I had no IDE environment ready for tomcat source and just browsed through the source in a simple text editor - it's a lot easier to miss methods there. Olaf