How to prevent tomcat session hijacking?

Question

In my web.xml I've defined a user-data-constraint for some resources:

<security-constraint>
 <web-resource-collection>
  <web-resource-name>Personal Area</web-resource-name>
  <url-pattern>/personal/*</url-pattern>
 </web-resource-collection>
 <web-resource-collection>
  <web-resource-name>User Area</web-resource-name>
  <url-pattern>/user/*</url-pattern>
 </web-resource-collection>
 <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
</security-constraint>

1. When I load the page with http I've got my JSESSIONID ID1 in my cookie.
2. When I change to context/user/sample.faces then Tomcat makes a 302 redirect to HTTPS. But my JSESSIONID is still ID1.

I think this is a vulnerability? Or is it my configuration mistake?

The problem I see is the following: While browsing over HTTP with cookie ID1 there is an attacker who is listening to my network traffic. He "steals" my cookie ID1. Now I switch to HTTPS and my cookie is still ID1. I login. The attacker is then able to taker over my session because he knows my cookie...

Answer 1

I think it works like this by design. You can't base your access control on session. You need to use other parameters. You need to add authentication and use role-based control.

In Tomcat, there is protection but exactly opposite. If you get a session in secure area, that session is not transfered to unprotected area. Tomcat achieves this by setting "secure" flag on the cookie so the cookie is not sent to the HTTP connections.

Answer 2

If it's a recent version of Tomcat, you may not have a problem. However, this depends on your checking the SSL ID associated with the session. This is available using code such as

String sslId = (String) req.getAttribute("javax.servlet.request.ssl_session");

(Note that the attribute key may change in the future to javax.servlet.request.ssl_session_id - as part of the Servlet 3.0 spec).

I set up a servlet with the following doGet method:

protected void doGet(HttpServletRequest request, HttpServletResponse response)
     throws ServletException, IOException {
 HttpSession session = request.getSession(true);
 String sid = session.getId();
 String sslId = (String) request.getAttribute(
                "javax.servlet.request.ssl_session");
 String uri = request.getRequestURI();
 OutputStream out = response.getOutputStream();
 PrintWriter pw = new PrintWriter(out);
 HashMap<String, Object> secrets;
 Object secret = null;
 Object notSecret;
 Date d = new Date();

 notSecret = session.getAttribute("unprotected");
 if (notSecret == null) {
  notSecret = "unprotected: " + d.getTime();
  session.setAttribute("unprotected", notSecret);
 }
 secrets = (HashMap<String, Object>) session.getAttribute("protected");
 if (secrets == null) {
  secrets = new HashMap<String, Object>();
  session.setAttribute("protected", secrets);
 }
 if (sslId != null) {
  if (secrets.containsKey(sslId))
   secret = secrets.get(sslId);
  else {
   secret = "protected: " + d.getTime();
   secrets.put(sslId, secret);
  }
 }
 response.setContentType("text/plain");
 pw.println(MessageFormat.format("URI: {0}", new Object[] { uri }));
 pw.println(MessageFormat.format("SID: {0}", new Object[] { sid }));
 pw.println(MessageFormat.format("SSLID: {0}", new Object[] { sslId }));
 pw.println(MessageFormat.format("Info: {0}", new Object[] { notSecret }));
 pw.println(MessageFormat.format("Secret: {0}", new Object[] { secret }));
 pw.println(MessageFormat.format("Date: {0}", new Object[] { d }));
 pw.close();
}

I then invoked a suitable unprotected URL using Firefox and the Live HTTP Headers extension, to get the session cookie. This was the response sent when I navigated to

http://localhost:8080/EchoWeb/unprotected

(my web.xml, like yours, only protects /user/* and /personal/*):

URI: /EchoWeb/unprotected
SID: 9ACCD06B69CA365EFD8C10816ADD8D71
SSLID: null
Info: unprotected: 1254034761932
Secret: null
Date: 27/09/09 07:59

Next, I tried to access a protected URL

http://localhost:8080/EchoWeb/personal/protected

and, as expected, I got redirected to

https://localhost:8443/EchoWeb/personal/protected

and the response was

URI: /EchoWeb/personal/protected
SID: 9ACCD06B69CA365EFD8C10816ADD8D71
SSLID: 4abf0d67549489648e7a3cd9292b671ddb9dd844b9dba682ab3f381b462d1ad1
Info: unprotected: 1254034761932
Secret: protected: 1254034791333
Date: 27/09/09 07:59

Notice that the cookie/session ID is the same, but we now have a new SSLID. Now, let's try to spoof the server using the session cookie.

I set up a Python script, spoof.py:

import urllib2

url = "https://localhost:8443/EchoWeb/personal/protected"
headers = {
 'Host': 'localhost:8080',
 'User-Agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3',
 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
 'Accept-Language': 'en-gb,en;q=0.5',
 'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
 'Cookie' : 'JSESSIONID=9ACCD06B69CA365EFD8C10816ADD8D71'
}
req = urllib2.Request(url, None, headers)
response = urllib2.urlopen(req)
print response.read()

Now, you don't need to know Python, particularly - I'm just trying to send an HTTP request to a (different) protected resource with the same session ID in the Cookie. Here's the response when I ran my spoof script twice:

C:\temp>spoof
URI: /EchoWeb/personal/protected
SID: 9ACCD06B69CA365EFD8C10816ADD8D71
SSLID: 4abf0eafb4ffa30b6579cf189c402a8411294201e2df94b33a48ae7484f22854
Info: unprotected: 1254034761932
Secret: protected: 1254035119303
Date: 27/09/09 08:05


C:\temp>spoof
URI: /EchoWeb/personal/protected
SID: 9ACCD06B69CA365EFD8C10816ADD8D71
SSLID: 4abf0eb184cb380ce69cce28beb01665724c016903650539d095c671d98f1de3
Info: unprotected: 1254034761932
Secret: protected: 1254035122004
Date: 27/09/09 08:05

Notice in the above responses that the session data (a value with a timestamp of 1254034761932) which was set in the first, unprotected request, has been sent throughout, because Tomcat is using the same session because the session ID is the same. This is of course not secure. However, note that the SSL IDs were different each time and if you use those to key into your session data (e.g. as shown), you should be safe. If I refresh my Firefox tab, here's the response:

URI: /EchoWeb/personal/protected
SID: 9ACCD06B69CA365EFD8C10816ADD8D71
SSLID: 4abf0d67549489648e7a3cd9292b671ddb9dd844b9dba682ab3f381b462d1ad1
Info: unprotected: 1254034761932
Secret: protected: 1254034791333
Date: 27/09/09 08:05

Notice that the SSLID is the same as for the earlier Firefox request. So, the server can tell the sessions apart using the SSL ID value. Notice particularly that the "protected data" is the same for each request made from the Firefox session, but different for each of the spoofed sessions and also different from the Firefox session.

Answer 3

I suggest to change the sessionId when you authenticate the session.
In this way the old sessionId becomes useless and session hijacking is impossible.
To change the sessionId in a servlet container:

• copy all the attributes of the current session on a temp collection
• session.invalidate()
• session = req.getSession(true)
• fill the new session with the attributes from the temp collection

About SSLID, please note that both client and server are free to close the connection at any time. When closed a new SSL handshake will happen and a new SSID generated. So, IMO SSLID is not a reliable way to track (or help to track) sessions.