Re: How to use JSESSIONID on follow-on request without basic auth?
On Tue, 19 Jan 2010, markspace wrote:
Tom Anderson wrote:
I'm surprised it works. Disappointed, even - that doesn't seem very
secure. I suspect it may be implementation-dependent - what's the
server that is being fed the session IDs?
If a client is behind a proxy, then normal HTTP requests could be seen
coming from different IP addresses. In other words, one request could
be routed through proxy A, then the next request could see proxy A under
higher load, and be routed through proxy B. Both proxy A and proxy B
should have different IP addresses.
In which case the server could repeat its demand for authentication when
the requests come via proxy B. It means an additional round-trip when that
happens, but that doesn't seem like a huge deal.
I'm not sure what kind of vulnerabilities this introduces. Hopefully
security depends on more state than just the jsession ID. One should
have a hash or unique ID set in the cookie, I think.
If an attacker can get the JSESSIONID, then it would be able to get those
too, no?
Of course, once i start using words like 'attacker', i'm talking about
security, and then, the answer is that the connection should be using
HTTPS. Plain HTTP with authentication is really only a deterrent to idle
troublemakers, not serious villains.
tom
--
You have now found yourself trapped in an incomprehensible maze.