You are here

Session fixation attack on Apache Tomcat 6

Tomcat, Session Fixation

Apache Tomcat 6.0.33 to 6.0.37 does not consider the disableURLRewriting setting when handling a session id in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL (CVE-2014-0033) [1].

The configuration center of Airlock 4.2 is not affected because regular logins to the configuration center always generate a session cookie. As a consequence, additional session IDs in URLs will be ignored by Tomcat. Airlock 5 is not affected since Tomcat 7 is used.


If you are using an affected Tomcat 6 version and want to prevent session IDs in URLs we recommend to upgrade Tomcat to version 6.0.39 (and setting disableURLRewriting to true [2]) or to upgrade to Version 7 where session IDs in URLs are disabled by default.

If you can't upgrade your Tomcat 6 back-end and therefore can not disable session IDs in URLs (which is enabled by default in Tomcat 6) you can protect the back-end with Airlock by applying one of the following approaches:

  • Enable URL encryption - this helps not only against this vulnerability but enhances the security in general
  • Remove all jsession IDs in HTTP responses by configuring a rewriting rule on the affected Tomcat Mapping. Further configure a deny rule to prevent jsession IDs in HTTP request paths. Configuration details:
    • Rewriting Rule
      Create a new Rewrite Response Body (HTML only) rule with the URL pattern ;jsessionid=[[:xdigit:]]+ and blank Replace with field on the affected mapping. Screenshot of the rewrite rule (click on image to enlarge):
      jsession id rewrite rule
    • Deny Rule
      Create a new deny rule with the pattern ;jsessionid= and enable the deny rule on the affected mapping. Screenshot of the deny rule (click on image to enlarge):
      jsession id deny rule
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Airlock protects, requires changes in configuration