Why is SSL_SESSION_ID changing?

Why is SSL_SESSION_ID changing?

am 18.10.2005 12:28:31 von Ryszard Lach

Hi.
We are developing a java-based webapp, a kind of CMS. The problem is,
that relatively big group of it's users will have rights to create
pages, upload files etc., also upload javascript pages. In this case an
attacker will be able to steal somebody's session (e.g. creating JS page
which will read JSESSIONID cookie and forward it to it's author).

We thought, that one of possible solutions will be binding user's
session to SSL_SESSION_ID (i.e. keeping SSL_SESSION_ID in user's session
and comparing it at every request with ID read from this request).

The problem is, that SSL_SESSION_ID is changing regardles of
SSLSessionCacheTimeout (we've set it to very high value). I suppose that
it's not caused by server (mod_ssl after writing SESSION_ID to cache is
able to get it back everytime, 100% hit rate).

Is there any reason for which the ssl sessions are renegotiated
(sometimes even three times during one minute)? Is it possible to block
such a renegotiations at server/application side, or it is very
browser-dependent?

T.I.A.

R.

--
"First they ignore you. Then they laugh at you. Then they
fight you. Then you win." - Mohandas Gandhi.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Why is SSL_SESSION_ID changing?

am 18.10.2005 12:56:54 von Mads Toftum

On Tue, Oct 18, 2005 at 12:28:31PM +0200, Ryszard Lach wrote:
> We thought, that one of possible solutions will be binding user's
> session to SSL_SESSION_ID (i.e. keeping SSL_SESSION_ID in user's session
> and comparing it at every request with ID read from this request).
>
Don't - SSL_SESSION_ID isn't useable for longer lifetime sessions.

> The problem is, that SSL_SESSION_ID is changing regardles of
> SSLSessionCacheTimeout (we've set it to very high value). I suppose that
> it's not caused by server (mod_ssl after writing SESSION_ID to cache is
> able to get it back everytime, 100% hit rate).
>
> Is there any reason for which the ssl sessions are renegotiated
> (sometimes even three times during one minute)? Is it possible to block
> such a renegotiations at server/application side, or it is very
> browser-dependent?
>
Lifetime can't be forced from the serverside, all you can do is set an
upper bound on it. The client may very well choose to cut the session
earlier. I've seen clients that let sessions live longer with a higher
level of security on the session - but it still isn't a good choice.

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org