Uploaded image for project: 'Application Server 3  4  5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-2568

Passing a cookie header with a spurious JSESSION value to embedded Tomcat results in creation of session with that id

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: JBossAS-4.0.2 Final, JBossAS-4.0.3 Final, JBossAS-4.0.3 SP1
    • Fix Version/s: None
    • Component/s: Web (Tomcat) service
    • Labels:
      None

      Description

      If you craft an HTTP request with a made-up session cookie (e.g. 'Cookie: JSESSIONID=bogus; $Path=/somewebapp'), embedded JBoss will create a session for you with id 'bogus'. I tested this in standalone Tomcat (versions 5.5.9 and 5.5.12) and Tomcat created a session using its own generated session id.

      This was tested using a non-distributable webapp, so the JBoss clustered Manager was not involved.

      To reproduce, deploy the war included in the attached file. Then use wget to pass in a bogus request:

      $ wget --header='Cookie: $Version=0; JSESSIONID=blablabla; $Path=/TestSession'
      -S http://localhost:8080/TestSession/TestSession

      The biggest concern I have about this is the difference in behavior between embedded Tomcat and standalone Tomcat.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                brian.stansberry Brian Stansberry
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: