Maintain session in grails - session

How to maintain session in my grails application. Here is my requirement.
I have to generate session id (in server side) based on the user-name (which comes from client side while log-in).
After log-in, the server should pass the session id to client and sets timer to validate the session.
For every request, the client should pass the session id to server, so that the server is able to check whether the session is alive or not based on the timer.
If the session is valid, the server should process the request and has to increment the timer.
If the session in invalid, the request should not be processed by server.
Please let me know if you any idea/tutorial/suggestions.
Thanks in advance...

This looks exactly how the http session behaves, so you have that functionality out of the box. Just use the session variable to access session attributes. (see here). And this question tells you about how to configure the timeout.

Related

Can HttpOnly flag prevent session fixation attack?

I have a need to preserve session id after login. My session id cookie is marked as HttpOnly. Is such setup absolutely secure? Is there any possibility for an attacker to to perform session fixation attack if my session cookie is HttpOnly?
TLDR: Yes, in PHP and Firefox it is possible to add a second session cookie which, due to the order in the header, is preferred over the original one.
Also Yes, if there is other functionality which allows to set session IDs on the server. This depends on the application specific functionality.
Full explanation
Depends on what other functionality you have on your website to manipulate sessions. In some rare occasions, the application allows a user to set a session via a HTTP request. For example, via a GET parameter.
I believe you want to know if it is possible to fixate a session ID if the original session ID is set in a cookie with the HttpOnly flag. Therefore, I did a small test on a PHP application I was conducting a pentest on. Surprisingly, you can set a new PHPSESSID via a JavaScript injected as XSS. If there already was an existing PHPSESSID cookie with the HttpOnly flag, it simply puts this one next to the other one. In my case, in Firefox, it sent the following Cookies to the server after my attempt to set PHPSESSID via document.cookie = "PHPSESSID=FIXATEDSESSIONID":
Cookie: PHPSESSID=FIXATEDSESSIONID; __utma=139474299.465096418.1547461023.1548839033.1548851774.5; __utmz=139474299.1547461023.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); acceptCookies=true;
So there are now two session IDs in the request. In my setup, with PHP 5.6.25, the server takes the first cookie to bind a session. So in the case with Firefox and PHP 5.6.25, I was able to fixate my session ID (FIXATEDSESSIONID) via a JavaScript. The original session ID is still in the request but it is ignored by the server. Note that FIXATEDSESSIONID is literally the session ID I injected. So it was not necessary to get a legitimate session ID from the PHP server.
It's better to have session cookie as HttpOnly, because it obviously makes session more secure.
The right way to avoid session fixation vulnerability is to make new session for user on authentication.
Check OWASP article about session fixation. It has information about techniques to execute this kind of attack.

how does server recognize client's session cookie without storing it on server

I am trying to understand, how exactly the session management mechanism in a stateless web application works. Currently I am using Play Framework but I think the mechanism should be the same for all of the stateless web frameworks
this is from the documentation of play framework: (link)
It’s important to understand that Session and Flash data are not stored by the server but are added to each subsequent HTTP request, using the cookie mechanism
and
Of course, cookie values are signed with a secret key so the client can’t modify the cookie data (or it will be invalidated).
Now my question is, if the server does not save anything about a session id, how does it authenticate a session coming from a client?!
I did a lot of searching, but I couldn't find out, how the session management on the server side really works.
Now my question is, if the server does not save anything about a
session id, how does it authenticate a session coming from a client?
What play does is it signs your session data through a key say KEY(Its the application.secret that you set in application.conf) and produce a alphanumeric data. Then it attaches both data and encrypted data to cookie and sends it back
ENCRYPTED DATA= 5d9857e8a41f94ecb2e4e957cd3ab4f263cfbdea
DATA = userEmail=sil#st.com&userName=silentprogrammer
If you Inspect the cookie(Right click on browser->Inspect element->Application->Cookie->Your url) in the browser of your running application you can see something like
"5d9857e8a41f94ecb2e4e957cd3ab4f263cfbdea-userEmail=sil#st.com&userName=silentprogrammer"
For each request it gets the data part(userEmail=sil#st.com&userName=silentprogrammer) signs the data again from the KEY and checks it to the alphanumeric data coming from request i.e. 5d9857e8a41f94ecb2e4e957cd3ab4f263cfbdea if the both are equal(if data and encryption key is same) the session is confirmed otherwise session expire. You can confirm this by changing the data part from cookie in browser and sending the request again the session will not exist.
This is what I have observed

Session timeout after 15 minutes

In my application I use web services to get required information. To actually use this services you have to login first, you get your token - encrypted password, afterwards this token is attached to SOAP requests to identify current user. The thing is, when you do not use service for 15 minutes, your token changes and when you are trying to obtain another bunch of information from the server it denies old token. As a result app do not get required information and throws a heap of errors.
How to send user (load Login.axm) to Login page when token has been changed?
Thank you, Shay Shmeltzer for your answer.
How I solved this problem:
1) First I read how does sessions work in my particular case. I used stateless session which means -
A new session is opened for an initial request and the session remains
open for subsequent requests. Relogin occurs automatically
(transparent to the user) if the session is closed. UsernameToken and
PasswordText must be included as SOAP headers in the initial request
to open a stateless session.
Stateless session management is the best method to use for high-load
Web service applications. Using Stateless mode, the application
provides the username and password only once, that is for the initial
request. A session is opened on the server and is dedicated for this
user.
In the response Siebel Business Applications return the SessionToken,
which is an encrypted string containing the information about
username, password, and timestamp. For subsequent requests the
application must use the SessionToken to reuse the session.
For security reasons SessionTokens are regenerated for each response.
The application must provide the last received SessionToken for the
next request.
The SessionToken-Siebel session map is maintained in the Siebel Web
Server Extension (SWSE); based on the SessionToken value SWSE sends
the request to the correct Siebel session (task).
Although the session is persistent, authentication happens for each
request (SWSE decrypts the UserName and Password from the
SessionToken).
the main problem was :
NOTE: Reconnecting or automatic logging in again will only happen if
the token has not timed out. If it times out, then the user must
manually log in again. Token timeout must be greater than or equal to
session timeout. For more information on session token timeout, see
Session and Session Token Timeout-Related Parameters.
in my case standard session token live time was 15 minutes.
That is why I included counter in my code and checked it before each request. If counter time > 15 minutes, I sent log in request to the server to get new session token. The reason, I did not change current page to log in page straight away after the counter exceeds 15 minutes is: place in code, where I check counter is already initiated by the bindings to get required value to render it, so if your token has expired you will get a heap of errors. That is why firstly I renew the session sending log in request, get active session token and put it into the last request which is requested by binding. After app renders page without any errors, it shows pop up message "Session has expired" and goes to log in page.
You can programmatically set the soap header being sent to your SOAP service from ADF Mobile - http://docs.oracle.com/cd/E37975_01/doc.111240/e24475/amxwebservices.htm#CHDIBIIE

Understanding Session Expiration

Looking at the OWASP Session Management Cheat Sheet, every time a session expires, must a user go through the same Pre-Auth --> Auth --> ... steps to make a new session?
For example, if a session expires and the web app requires authentication, will the user have to log back into the web app before getting a new session?
Sessions are maintained with cookies.
Http is a stateless protocol. Every request to server works in isolation. No request has any information about previous request.
Say a user named A logs in to the site. This site works with session and sets session data for a user. Internally the server creates some value and associates with a particular user. A value 12345 is computed and associated with user A. The server decides to give this value's name as sessionId. It sends sessionId in the cookie and this cookie will be stored on the user's browser. Next time the user A makes a request this cookie will be sent to server. Server reads for cookie sessionId, and finds it. Then it sees with what user is the value in this cookie i.e 12345 is associated. It finds that this value is associated with user A and so its the user A, who is making the request.
Say this cookie expires, can be for various reasons. Either user deletes the cookie on his end. Or after certain days, server cleans this association between user and the session. In that case server will not be able to know who is the user making the request. And hence the entire flow of login by user, seesion generation will have to take place.
So, yes, if a session expires and the web app requires authentication, user will have to login again
Yes, the user has to log in again. Also, it's important that a new session gets a new session id, as an attacker could have gained the session id. If you re-authenticate the same session id, the attacker would gain access as well. See session fixation attack.
Depending on the safety requirements, you might also have to implement a maximum time to life for every session. Usually an attacker would take over a session and try to keep it alive as long as possible. Expiring the session after a certain amount of time, even if it is active, is an effective way to ensure that attackers can only have access for limited time.

when a request session is generated in weblogic how session id is determined

When a session is invalidated in a web app, if i make to that app a new request with the invalidated jsessionid in cookie, what will be the new session's id? As i inspect, a new session is generated but the session id remains same. I couldn't give a explanation to this. Is there such a convention to keep jsessionid in cookie and give that value to newly created session or am i doing something wrong? :)
The Scenario.
I have 2 webapps on same weblogic. The WLCookie name for these apps are same.
When user enters in appA i am making a asynchronous call to appB's logout servlet where the appB's session is invalidated.
when user clicks a link in appA which refers to appB, i am creating a new session in appB and when i check for the sessionid in cookie it still remains same which is first created in appA.
As i know, two webapps on same weblogic does not share their session's if not configured but although i invalidated appB's session from outside why newly created session has still the same session id?
Thanks.
Do not confuse jsessionid with sessions. jsessionid is unique per container instance, where as session is per app. So, the session data won't propagate from AppA to AppB, just because the share the same jsessionid.

Resources