AW: JRun: The Easiness of Session Fixation

["Javor Evstatiev" <Javor.Evstatiev () d-con com>]

Hej,

I can talk surely only about php, but this should work also in java:

I save the incoming ip address when the session is created. On each request I compare the incoming ip address with the 
ip stored in the session. If it does not match there is something foul.


cheers
j

-----Ursprüngliche Nachricht-----
Von: Christoph Schnidrig [mailto:christoph.schnidrig () csnc ch] 
Gesendet: Freitag, 28. Februar 2003 15:36
An: bugtraq () securityfocus com; webappsec () securityfocus com
Betreff: JRun: The Easiness of Session Fixation


Hi all

The the Session-ID Fixation paper available from http://www.acros.si/papers/session_fixation.pdf mentions that JRun 
accepts abritrary Session-ID's and create new sessions with the proposed Session-ID. This means that it is possible to 
send the following URL http://foo/bar?jsessionid=foo123 and the JRun server will accept and use the proposed Session-ID 
(foo123). Furthermore the server will set a cookie in users browser with the proposed Session-ID! Using this technique, 
it is much easier to exploit this kind of attack and to enter in other's web application sessions.

Is anybody aware of a vendor patch or another workaround? Is it possible to enforce the server to create a new 
Session-ID?


Thanks a lot

Christoph