开发者

Problem with session security feature of JBoss 6 using servlet 3.0

We migrated our application from JBoss 5 to JBoss6 and one of the main reasons for this is to make use of the new features of servlet 3.0. Everything works fine apart from one new feature of JBoss 6 and servlet 3.0: setting the session cookie to only be transferred through secure channel even if the request was made through plain HTTP. This is a very important security feature for us and is achieved by adding

<secure>true</secure>

in web.xml. This is part of our web.xml:

<session-config>
<session-timeout>25</session-timeout>
<cookie-config>
    <http-only>true</http-only>
    <secure>true</secure>
</cookie-config&g开发者_如何转开发t;
<tracking-mode>COOKIE</tracking-mode>

When we remove the

<secure>true</secure>

everything works fine. When it is there, there is a new jsessionid generated for each request even when being on a secure page (HTTPS) or in an unsecured page (HTTP). Also, the login does not work since after login with secure credentials the user is redirected back to the login page.

I suppose this might be also an issue with Tomcat 7 since it also uses the servlet 3.0 spec. Any advice would be much appreciated.

Regards


According to the HTTP Specification:

Secure

Optional. The Secure attribute (with no value) directs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back this cookie.

The user agent (possibly under the user's control) may determine what level of security it considers appropriate for "secure" cookies. The Secure attribute should be considered security advice from the server to the user agent, indicating that it is in the session's interest to protect the cookie contents.

It means that specification leaves it open to the browser (user agent) to defined what is "secure".

The Secure element in the web.xml is a reference for the HTTP Cookie Secure property, and you can track that value with your browser's debug tool.

If the communication is not "secure", the browser won't send the received cookie to the server on the following requests.

The problem is not JBoss always returning new cookies, but the browser that is not sending it back because communiation is unsecure. JBoss then creates a new session for every request.

It is very clear that for non-encrypted communication (not HTTPS) the browser won't send the cookie, this is expected since you are marking the cookie as secure = true.

But, even if you are using HTTPS, the "secure" is relative to the browser concept of security, for example:

  • Certificate can be expired
  • Certificate is self-signed
  • You are using a hostname different from the one who signed the certificate

These and other security problems can happen using TLS, meaning the communication is not secure.

The problem must be with your SSL/TLS or Cookie configuration, which means you have to check what you have done and isole the problem. I don't think there is any bug in JBoss or JBossWeb (Tomcat 6 fork) causing it, and for sure it is not a specification error.

I was able to configure a JBoss 6.1.0 Final with TLS and with your web.xml configuration, and everything worked as expected.

I suggest you to double-check your configuration, browser debug and alerts.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜