Monitoring Page not accessible if sessionids are used inside the URL
Closed this issue · 3 comments
GoogleCodeExporter commented
What steps will reproduce the problem?
1. Disable Cookies for SessionIds in the Servlet Container
2. Log on to the application and access the monitoring url with the jsessionid
appended to it.
What is the expected output? What do you see instead?
The Monitoring page should be shown. But the MonitoringFilter does not handle
the request.
What version of the product are you using? On what application server, JDK,
operating system?
I'm using version 1.54.0 on a embedded tomcat 7.0.54. JDK 1.8 on Windows 7.
Please provide any additional information below.
The problem is on line 166 in the MonitoringFilter. httpRequest.getRequestURI()
returns the URI with appended ;jsessionid=FOO. So it does not match the
monitoring URL as the sessionid is missing here.
if (httpRequest.getRequestURI().equals(getMonitoringUrl(httpRequest))) {
doMonitoring(httpRequest, httpResponse);
return;
}
Unfortunately it is not possible to override the getMonitoringUrl Method
because it is marked as final. It would be the best to strip the sessionId from
the requestURI.
Original issue reported on code.google.com by daniel.f...@gmail.com
on 22 Dec 2014 at 1:02
GoogleCodeExporter commented
First, you should note that disabling session cookies could cause a security
problem, by leaking session id.
For example:
http://seckb.yehg.net/2012/06/httponly-session-id-in-url-and-page.html
If you don't care about that security problem, then a workaround to this issue
would be to add the javamelody ReportServlet in your webapp. For this, just add
the following in the WEB-INF/web.xml file of your webapp:
<servlet>
<servlet-name>monitoringServlet</servlet-name>
<servlet-class>net.bull.javamelody.ReportServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>monitoringServlet</servlet-name>
<url-pattern>/monitoring</url-pattern>
</servlet-mapping>
You can change the url-pattern above to anything you want, provided that you
use the same path in your browser to access the reports.
Original comment by evernat@free.fr
on 22 Dec 2014 at 2:17
GoogleCodeExporter commented
We are aware of the problem with session ids in URLs. But we use them in
combination with a security token inside a HttpOnly cookie. So an attacker
would need both, the session id from the url and the token from the cookie, to
access our page.
Thanks for the hint with the ReportServlet. It works now.
Maybe this Servlet could be documented somewhere? I searched in the user guide
and user guide advanced for ReportServlet but did not find anything.
Original comment by daniel.f...@gmail.com
on 24 Dec 2014 at 6:44
GoogleCodeExporter commented
I have now documented the ReportServlet at:
https://code.google.com/p/javamelody/wiki/UserGuideAdvanced#Using_a_servlet_to_d
isplay_the_monitoring_reports
(And I will not change the code, to strip possible sessionIds from the
requestUri, because I think that it is a very rare case and it's better to keep
performance overhead as low as possible.)
Original comment by evernat@free.fr
on 10 Jan 2015 at 7:10
- Changed state: Done