Whenever you authenticate, your application should change the session identifier it uses. This helps to prevent someone from setting up a session, copying the session identifier, and then tricking a user into using the session. Because the attacker already knows the session identifier, they can use it to access the session after the user logs in, giving them full access. This attack has been called "session fixation" among other things. How can i change the session id once the user login to the system ?
You're still on the server while you invalidate the session.
//get stuff out of session you want before invalidating it.
currentSession = request.getSession(true);
UserProfile userProfile = (UserProfile) currentSession.getAttribute("userProfile");
//now invalidate it
currentSession.invalidate();
//get new session and stuff the data back in
HttpSession newSession = request.getSession(true);
newSession.setAttribute("userProfile", userProfile);
Get the existing; invalidate it; create a new one ...
1) Get the current Session with HttpServletRequest.getSession();
2) Clear the Session: HttpSession.invalidate();
3) Create a new one: HttpServletRequest.getSession(true);
Talking generally (because this isn't a Java problem at all, it's a general web problem) session fixation arises when session IDs are easy to discover or guess. The main method of attack is when the session ID is in the URL of a page, for example http://example.com/index?sessionId=123. An attacker could setup capture a session and then embed the link in their page, tricking a user into visiting it and becoming part of their session. Then when the user authenticates the session is authenticated. The mitigation for this is to not use URL based session IDs, but instead use cookies
Some web applications will use a cookie session based but set it from the initial URL, for example visiting http://example.com/index?sessionId=123 would see the session id in the url and then create a session cookie from it, setting the id in the session cookie to 123. The mitigation for this is to generate random session ids on the server without using any user input as a seed into the generator.
There's also browser based exploits where a poorly coded browser will accept cookie creation for domains which are not the originating domain, but there's not much you can do about that. And Cross Site Scripting attacks where you can send a script command into the attacked site to set the session cookie, which can be mitigated by setting the session cookie to be HTTP_ONLY (although Safari does not honour this flag)
For Java the general recommendation is
session.invalidate();
session=request.getSession(true);
However at one point on JBoss this didn't work - so you need to check this works as expected within your chosen framework.
Invalidate the current session and the get a new session:
//invalidate the current session
request.getSession().invalidate();
/*
get another session and get the ID (getSession()) will create a session if one does not exist
*/
request.getSession().getId();
Related
I have a need to preserve session id after login. My session id cookie is marked as HttpOnly. Is such setup absolutely secure? Is there any possibility for an attacker to to perform session fixation attack if my session cookie is HttpOnly?
TLDR: Yes, in PHP and Firefox it is possible to add a second session cookie which, due to the order in the header, is preferred over the original one.
Also Yes, if there is other functionality which allows to set session IDs on the server. This depends on the application specific functionality.
Full explanation
Depends on what other functionality you have on your website to manipulate sessions. In some rare occasions, the application allows a user to set a session via a HTTP request. For example, via a GET parameter.
I believe you want to know if it is possible to fixate a session ID if the original session ID is set in a cookie with the HttpOnly flag. Therefore, I did a small test on a PHP application I was conducting a pentest on. Surprisingly, you can set a new PHPSESSID via a JavaScript injected as XSS. If there already was an existing PHPSESSID cookie with the HttpOnly flag, it simply puts this one next to the other one. In my case, in Firefox, it sent the following Cookies to the server after my attempt to set PHPSESSID via document.cookie = "PHPSESSID=FIXATEDSESSIONID":
Cookie: PHPSESSID=FIXATEDSESSIONID; __utma=139474299.465096418.1547461023.1548839033.1548851774.5; __utmz=139474299.1547461023.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); acceptCookies=true;
So there are now two session IDs in the request. In my setup, with PHP 5.6.25, the server takes the first cookie to bind a session. So in the case with Firefox and PHP 5.6.25, I was able to fixate my session ID (FIXATEDSESSIONID) via a JavaScript. The original session ID is still in the request but it is ignored by the server. Note that FIXATEDSESSIONID is literally the session ID I injected. So it was not necessary to get a legitimate session ID from the PHP server.
It's better to have session cookie as HttpOnly, because it obviously makes session more secure.
The right way to avoid session fixation vulnerability is to make new session for user on authentication.
Check OWASP article about session fixation. It has information about techniques to execute this kind of attack.
I have done some very basic authentication work in PHP. In PHP you can start a session and create a unique session ID to be stored in the cookies.
How does this work in ColdFusion? How can I start a session and assign a unique ID to it?
The backstory: I am trying to a create a log in page, I can create users and authenticate their login attempts but I need to know how to give them a unique session once they have logged in.
I've taken a look at the ColdFusion documentation. The only methods I could find for sessions seemed to be for browsers that don't use cookies for whatever reason. Am I missing something?
Yup, if in your application.cfm or application.cfc you set SessionManagement to 'true' then CF automatically creates a session for each new user. You can then set a property of the session (perhaps called 'loggedin') to be true or false to manage login state. Session duration is managed through the SessionTimeout property in application.cfc
You can also use the <cfloginuser> tag to manage whether a user is logged in, although some people avoid it
Take a look at this article for an overview of application.cfc
Looking at the OWASP Session Management Cheat Sheet, every time a session expires, must a user go through the same Pre-Auth --> Auth --> ... steps to make a new session?
For example, if a session expires and the web app requires authentication, will the user have to log back into the web app before getting a new session?
Sessions are maintained with cookies.
Http is a stateless protocol. Every request to server works in isolation. No request has any information about previous request.
Say a user named A logs in to the site. This site works with session and sets session data for a user. Internally the server creates some value and associates with a particular user. A value 12345 is computed and associated with user A. The server decides to give this value's name as sessionId. It sends sessionId in the cookie and this cookie will be stored on the user's browser. Next time the user A makes a request this cookie will be sent to server. Server reads for cookie sessionId, and finds it. Then it sees with what user is the value in this cookie i.e 12345 is associated. It finds that this value is associated with user A and so its the user A, who is making the request.
Say this cookie expires, can be for various reasons. Either user deletes the cookie on his end. Or after certain days, server cleans this association between user and the session. In that case server will not be able to know who is the user making the request. And hence the entire flow of login by user, seesion generation will have to take place.
So, yes, if a session expires and the web app requires authentication, user will have to login again
Yes, the user has to log in again. Also, it's important that a new session gets a new session id, as an attacker could have gained the session id. If you re-authenticate the same session id, the attacker would gain access as well. See session fixation attack.
Depending on the safety requirements, you might also have to implement a maximum time to life for every session. Usually an attacker would take over a session and try to keep it alive as long as possible. Expiring the session after a certain amount of time, even if it is active, is an effective way to ensure that attackers can only have access for limited time.
When a session is invalidated in a web app, if i make to that app a new request with the invalidated jsessionid in cookie, what will be the new session's id? As i inspect, a new session is generated but the session id remains same. I couldn't give a explanation to this. Is there such a convention to keep jsessionid in cookie and give that value to newly created session or am i doing something wrong? :)
The Scenario.
I have 2 webapps on same weblogic. The WLCookie name for these apps are same.
When user enters in appA i am making a asynchronous call to appB's logout servlet where the appB's session is invalidated.
when user clicks a link in appA which refers to appB, i am creating a new session in appB and when i check for the sessionid in cookie it still remains same which is first created in appA.
As i know, two webapps on same weblogic does not share their session's if not configured but although i invalidated appB's session from outside why newly created session has still the same session id?
Thanks.
Do not confuse jsessionid with sessions. jsessionid is unique per container instance, where as session is per app. So, the session data won't propagate from AppA to AppB, just because the share the same jsessionid.
I'm maintaining a system built in ASP.
The login process is in SSL. Meaning, when the user clicks on "Login", his user name and password are sent securely to the server.
The login process produces a Session object, which is the ID of the now logged-in user.
After finishing the login process, the page redirects the browser to a non secure page. This page tries to access the ID Session object.
Until last week, this worked fine. Our system was running on IIS6.0, and the non-secure page could access this Secure ID Session object.
However, after switching over to IIS7.5, this inevitable security hole was closed(or so I assume). The non-secure page cannot access the Secure ID Session object anymore.
Access to the object is done simply like this:
string ID = Session(SESSION_USER_ID)
just to check things out, I tried access a non-secure Session object from the Secure login pages - this failed as well.
Is there any way to access a Secure Session object from a non-secure page?
BTW, I've probably mistaken with some of the terms here, but I think the scenario is more or less clear. Please tell me if this is not the case.
I've come across this problem before, I ended up getting around it by, when changing into or out of SSL, calling a function that would write the session variables to cookies, and then read back from the cookies into the SSL session variables.