Java Secure Session

Question

Java Secure Session

Whenever you authenticate, your application must change the session ID that it uses. This helps prevent someone from setting up the session, copying the session ID, and then trick the user into using the session. Since the attacker already knows the session identifier, he can use it to access the session after the user logs in, giving them full access. In particular, this attack is called session fixation. How can I change the session ID after a user logs in?

+6

java security session

Hoe chin Jul 22 '09 at 6:08

source share

4 answers

Brian hart · Answer 1 · 2009-07-25T00:32:36+0000

You are still on the server while you are canceling the session.

//get stuff out of session you want before invalidating it. currentSession = request.getSession(true); UserProfile userProfile = (UserProfile) currentSession.getAttribute("userProfile"); //now invalidate it currentSession.invalidate(); //get new session and stuff the data back in HttpSession newSession = request.getSession(true); newSession.setAttribute("userProfile", userProfile);

Henrik · Answer 2 · 2009-07-22T06:22:05+0000

Get existing; cancel it; Create new...

1) Get the current session with HttpServletRequest.getSession ();
2) Clear the session: HttpSession.invalidate ();
3) Create a new one: HttpServletRequest.getSession (true) ;

blowdart · Answer 3 · 2009-07-22T06:28:34+0000

Generally speaking (because it is not a Java problem at all, it is a common problem on the network), session commit occurs when session identifiers are easy to detect or guess. The main attack method is when the session identifier is in the URL of the page, for example http://example.com/index?sessionId=123 . An attacker can set up a session hijacking, and then insert a link to his page, trick a user by visiting him and become part of their session. Then, when the user authenticates, the session authenticates. To do this, avoid using URL-based session identifiers, but use cookies instead

Some web applications will use a cookie session, but set it from the source URL, for example by visiting http://example.com/index?sessionId=123 , you will see the session id in the URL, and then create a session cookie from it. setting the id in the session cookie to 123. To do this, you need to create random session identifiers on the server without using any user input as a seed in the generator.

There are also browser-based exploits where a poorly encoded browser will accept the creation of cookies for domains that are not the source domain, but you cannot do it. And Cross Site Scripting attacks, where you can send a script command to the attacked site to set a session cookie, which can be mitigated by setting the session cookie to HTTP_ONLY (although Safari does not respect this flag)

For Java, a general recommendation

 session.invalidate(); session=request.getSession(true);

However, at some point, JBoss did not work - so you need to check that this works as expected in the structure you selected.

Brian hart · Answer 4 · 2009-07-21T00:17:19+0000

Cancel the current session and get a new session:

 //invalidate the current session request.getSession().invalidate(); /* get another session and get the ID (getSession()) will create a session if one does not exist */ request.getSession().getId();

Java Secure Session

More articles: