]
Samuel Mendenhall updated JBSEAM-2450:
--------------------------------------
OWASP / New Session after Login
-------------------------------
Key: JBSEAM-2450
URL:
https://jira.jboss.org/jira/browse/JBSEAM-2450
Project: Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 2.0.0.GA
Environment: Linux 2.6, jetty 6.1.5, java 6
Reporter: Alexander Schwartz
Assignee: Shane Bryzak
Attachments: NewSessionFilter.java
Hello,
OWASP has compiled a "top 10" vulnerablilities for web applications.
One suggestion against session hijacking was the following: Start a new HTTP-Session
after a successful login:
"Consider regenerating a new session upon successful authentication or privilege
level change."
http://www.owasp.org/index.php/Top_10_2007-A7
Therefore there should be a (configurable?) switch to choose "continue with new
session ID after successful log on"
I have thought of invalidating the current HTTP session, creating a new one and copying
all elements from the old session to the new session in my Authenticator. But Seam 2.0.0
doesn't allow this: When I use the lowlevel functions this is blocked by
IllegalStateException("Please end the HttpSession via Seam.invalidateSession()")
in Lifecyle. When I use Seam.invalidateSession(), the session is only destroyed at the end
of the request and I am unable to copy any objects in my Authenticator as the new session
doesn't exist yet.
The workaround I have come up with is a filter, that destroys the complete session before
the log in.
This is not very elegant, but it works for me as I don't have i.e. a shoping basket
that I'd like to preserve.
A "nice" implementation in seam shouldn't have this limitation.
shane.bryzak(a)jboss.com asked for this ticket to be assigned to her.
The Java Class:
Code:
/**
* This filter enforces a new session whenever there is a POST, should be mapped
* to the URL of the login page in your web.xml
* @author Alexander Schwartz 2007
*/
public class NewSessionFilter implements Filter {
private Log log = LogFactory.getLog(NewSessionFilter.class);
private String url;
public void destroy() {
// empty.
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
if (request instanceof HttpServletRequest) {
HttpServletRequest httpRequest = (HttpServletRequest) request;
if (httpRequest.getMethod().equals("POST")
&& httpRequest.getSession() != null
&& !httpRequest.getSession().isNew()
&& httpRequest.getRequestURI().endsWith(url)) {
httpRequest.getSession().invalidate();
httpRequest.getSession(true);
log.info("new Session:" + httpRequest.getSession().getId());
}
}
chain.doFilter(request, response);
}
public void init(FilterConfig filterConfig) throws ServletException {
url = filterConfig.getInitParameter("url");
if (url == null) {
throw new ServletException(
"please specify parameter 'url' with login URL");
}
}
}
The web.xml:
Code:
<filter>
<display-name>NewSessionFilter</display-name>
<filter-name>NewSessionFilter</filter-name>
<filter-class>
NewSessionFilter
</filter-class>
<init-param>
<param-name>url</param-name>
<param-value>/iss/login.jsf</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>NewSessionFilter</filter-name>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/iss/login.jsf</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: