Dave (jav...@yahoo.com)

--0-1684872253-1198034892=:2254
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Hi Martin,
   
  Thanks for your help. 
I looked at the two links you provided. But I do not understand how they can solve the problem. I must be missing something.
   
  For SSL,  the URL still needs to have session id, for example,
https://www.xyz.com/returnPage.jsp;jsessionid=188727usdfkjaf-92098js8980?name='Foo'
   
For session id encription that is one-way encription appending a digest code to the URL, the URL also needs to have session id so that Tomcat will know the session id of the requests.
   
https://www.xyz.com/returnPage.jsp;jsessionid=188727usdfkjaf-92098js8980?name='Foo'&digest='abc123'
   
  Please give me further help. Thanks,
  Dave
   
   
  

Martin Gainty <mgainty@hotmail.com> wrote:
  Hi Dave

http://www.securityfocus.com/infocus/1774
suggests either implementing with
SSL connector
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

-or-
Encrypt each sessionid
If you dont have the former you'll definitely want to implement the latter..
heres an example
http://www.spiration.co.uk/post/1199

Martin--
----- Original Message -----
From: "Dave"
To: "Tomcat Users List"
Sent: Tuesday, December 18, 2007 9:09 PM
Subject: tomcat session security hole


> Hi, I am using URL rewriting for session tracking, ie, session id is on
the URL. After I login into a web application, if someone else knows my
current session id, he/she can access my account using the session id. It is
ok because it is difficult for others to guess my session id. But right now
I encounter an issue that will breach the security.
>
> Our web application is using a 3rd party payment system, when a user
clicks pay button, we need to tell the payment system a return URL, a page
URL to go after a user finishes with the payment system. The return url
needs to have the user's session id so that he/she will not need to login
again after returning from the payment system. In this case, the 3rd payment
system will know the user's session id, a security hole.
>
> Is there a solution for this scenario? the same security hole for cookie
based session tracking? In our case, we have to use URL rewriting because
sometimes a new session is needed when users click some links on pages.
>
> In my opinion, session id is not sufficient to identify a session, it
should have client's ip address for more security.
>
> Thanks for any ideas.
> Dave
>
>
>
>
>
>
> ---------------------------------
> Looking for last minute shopping deals? Find them fast with Yahoo!
Search.


---------------------------------------------------------------------
To start a new topic, e-mail: [email protected: u...@tomcat.apache.org]
To unsubscribe, e-mail: [email protected: users-unsubs...@tomcat.apache.org]
For additional commands, e-mail: [email protected: users...@tomcat.apache.org]



       
---------------------------------
Never miss a thing.   Make Yahoo your homepage.
--0-1684872253-1198034892=:2254--

--0-1304367098-1198030186=:85255
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Hi, I am using URL rewriting for session tracking, ie, session id is on the URL. After I login into a web application, if someone else knows my current session id, he/she can access my account using the session id. It is ok because it is difficult for others to guess my session id. But right now I encounter an issue that will breach the security.
   
Our web application is using a 3rd party payment system, when a user clicks pay button, we need to tell the payment system a return URL, a page URL to go after a user finishes with the payment system. The return url needs to have the user's session id so that he/she will not need to login again after returning from the payment system. In this case, the 3rd payment system will know the user's session id, a security hole.
   
Is there a solution for this scenario? the same security hole for cookie based session tracking? In our case, we have to use URL rewriting because sometimes a new session is needed when users click some links on pages.
   
In my opinion, session id is not sufficient to identify a session, it should have client's ip address for more security.
   
  Thanks for any ideas.
  Dave
   
   
   
   

       
---------------------------------
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.
--0-1304367098-1198030186=:85255--

--0-184925661-1196141360=:92414
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

In my case, apache is in the front as a load balancer (JK module). I read an instruction that says SSL is only needed between client and Apache, but SSL is not configured between apache and tomcat. I am using JBOSS 4.2.2.
   
In my environment, the security between apache and tomcat is a concern. How to configure SSL all the way between client --> Apache --> Tomcat?
   
  Thanks!
  dave
  

Schadler Johann <aon.913111623@aon.at> wrote:
  To ensure you have a valid keystore with the included private key and a 
refer to an alias 'tomcat' I recommend strongly to create a new keystore as
described in the reference (see links in other answer mails). At least you
can create a self-signed certificate if you don't need one signed by a
trusted CA.

To check if SSL is running you can test it from a Linux or Unix box with
installed OpenSSL with the following command:

echo -e "GET /jsp-examples/index.jsp HTTP/1.0\r\n\r\n"|openssl
s_client -connect localhost:8443 -ssl3 -debug -quiet

Replace URI-context and welcome file, replace hostname and port if
neccessary, change SSL mode to ssl2 or tsl as needed

Johann


----- Original Message -----
From: "Bob Grabbe"
To: "'Tomcat Users List'"
Sent: Monday, November 26, 2007 10:48 PM
Subject: RE: SSL problem with Tomcat 5.5


> OK, I've attached a new file with the startup. Unfortunately I'm not
> seeing
> anything in any logs that indicate any https requests.
> Just in case, what's the command to generate a new empty keystore file ?
> I've seen the notes on the tomcat docs for creating the csr, but I didn't
> do
> that this time. I might try it though, if I can get godaddy to go through
> the process with me again,
>
> Thanks
>
> Bob Grabbe
> University of Michigan
> [email protected: bg...@umich.edu]
> _________________________________________________________________________
> "Research is the process of going up alleys to see if they are blind." --
> Marston Bates
>
>> -----Original Message-----
>> From: Hassan Schroeder [email protected: hassan.schr...@gmail.com]
>> Sent: Monday, November 26, 2007 4:09 PM
>> To: Tomcat Users List
>> Subject: Re: SSL problem with Tomcat 5.5
>> What would be best would be catalina.log at startup, showing
>> whether the SSL connector started cleanly.
>>
>> And of course, any log entry relating specifically to an HTTPS
>> request.
>>
>> > I didn't generate a new csr, I figured renewing the cert shouldn't
>> need
>> > that. Do I need to go through that or should I be able to just renew
>> it ?
>>
>> Dunno about GoDaddy, but when I "renew" a Thawte cert for one of
>> my sites, I have to generate a new cert request. So I just create a new
>> keystore file, named something like keystore-example.com-2007, and
>> use that for the new cert.
>>
>> HTH!
>> --
>> Hassan Schroeder ------------------------ [email protected: hassan.schr...@gmail.com]
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: [email protected: u...@tomcat.apache.org]
>> To unsubscribe, e-mail: [email protected: users-unsubs...@tomcat.apache.org]
>> For additional commands, e-mail: [email protected: users...@tomcat.apache.org]
>>
>
>


--------------------------------------------------------------------------------


> ---------------------------------------------------------------------
> To start a new topic, e-mail: [email protected: u...@tomcat.apache.org]
> To unsubscribe, e-mail: [email protected: users-unsubs...@tomcat.apache.org]
> For additional commands, e-mail: [email protected: users...@tomcat.apache.org]


---------------------------------------------------------------------
To start a new topic, e-mail: [email protected: u...@tomcat.apache.org]
To unsubscribe, e-mail: [email protected: users-unsubs...@tomcat.apache.org]
For additional commands, e-mail: [email protected: users...@tomcat.apache.org]



       
---------------------------------
Get easy, one-click access to your favorites.  Make Yahoo! your homepage.
--0-184925661-1196141360=:92414--

--0-2080774160-1195135102=:45056
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

For cookie based session tracking, on a jsp or jsf page, when a user click links, all requests are in the same session. Is there a way to open a new session when a user clicks a link and send a request? Can Filter do that ?
   
If I open a new IE from desktop, all requests from the new IE window are in a different session. Is there a way to run IE or any other application by clicking on a page?
   
  Thanks for any help.
  David

       
---------------------------------
Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how.
--0-2080774160-1195135102=:45056--

--0-1994695929-1190725528=:3227
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

I am in the process of setting up a cluster of a number of JBoss. Should I use Apache or hardware load balancer in the front? Please advise. I am concerned about about Security and Performance.
   
  Thanks
  Dave

       
---------------------------------
Don't let your dream ride pass you by.    Make it a reality with Yahoo! Autos. 
--0-1994695929-1190725528=:3227--