Apache Geronimo > Discussion Forums  User List | Dev List | Wiki | Issue Tracker  
Apache
 » 
Geronimo
 » 
Apache Geronimo - Dev

 « Return to Thread: [jira] Created: (GERONIMO-4722) XSS/XSRF filters are triggering Session object creation for unknown URLs

[jira] Created: (GERONIMO-4722) XSS/XSRF filters are triggering Session object creation for unknown URLs

by JIRA jira@apache.org :: Rate this Message:

Reply to Author | View in Thread

XSS/XSRF filters are triggering Session object creation for unknown URLs
------------------------------------------------------------------------

                 Key: GERONIMO-4722
                 URL: https://issues.apache.org/jira/browse/GERONIMO-4722
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
    Affects Versions: 2.1.4, 2.2
            Reporter: Kevan Miller
            Priority: Minor
             Fix For: 2.1.5, 2.2


The XSS/XSRF filters are causing session objects to be created for unknown urls. For instance, a request for localhost:8080/nonexistenturl creates a session, as indicated in following stack trace:

http-0.0.0.0-8080-1@10 daemon, priority=5, in group 'main', status: 'RUNNING'
          at org.apache.catalina.session.StandardManager.createSession(StandardManager.java:284)
          at org.apache.catalina.connector.Request.doGetSession(Request.java:2,312)
          at org.apache.catalina.connector.Request.getSession(Request.java:2,075)
          at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833)
          at org.apache.geronimo.console.filter.XSRFHandler.isInvalidSession(XSRFHandler.java:79)
          at org.apache.geronimo.console.filter.XSSXSRFFilter.doFilter(XSSXSRFFilter.java:109)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
          at org.apache.geronimo.tomcat.valve.DefaultSubjectValve.invoke(DefaultSubjectValve.java:56)
          at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:406)
          at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
          at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
          at java.lang.Thread.run(Thread.java:613)


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

 « Return to Thread: [jira] Created: (GERONIMO-4722) XSS/XSRF filters are triggering Session object creation for unknown URLs

Free embeddable forum powered by Nabble Forum Help