[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1361) invalidate session after scheme change

fguerzoni (JIRA) jira-events at lists.jboss.org
Tue Jun 5 08:53:18 EDT 2007 

    [ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=comments#action_12364196 ] 
            
fguerzoni commented on JBSEAM-1361:
-----------------------------------

I think XSS attacks are less frequent than simply stealing session id: because they are more difficult to do.

But, take it as a suggestion, Seam could automatically add a sort of XSSvalidator, during input field scan, in order to search for 
<SCRIPT>, <OBJECT>, <APPLET>, <EMBED> and <FORM>
that generally mean an attempt to inject code from client.

About data copied to new session I think that Christian is right: we don't know if data are from real user.
So data should be added to new session when both login change and user is authenticated.
In fact user is authenticated only when data in session are correct.



> invalidate session after scheme change
> --------------------------------------
>
>                 Key: JBSEAM-1361
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
>             Project: JBoss Seam
>          Issue Type: Feature Request
>          Components: Security
>    Affects Versions: 1.2.1.GA
>         Environment: general feature
>            Reporter: fguerzoni
>         Assigned To: Gavin King
>             Fix For: 1.3.0.ALPHA
>
>
> I noticed that sessionId cookie sent to client before authentication remains the same even after login succedeed. This could lead to a man-in-the-middle attack because pre-login sessionId could be easily sniffed.
> So, it would be very nice if it should be possible to do a session switching on server side forcing a pre-login session invalidation and a new session creation (request.getSession(true)) as soon as client authenticates. Old session data should then be copied to new session.
> In this case a new sessionId cookie will be sent to client: client will use this ticket during next requests.
> This mechanism collides with the actual Seam implementations where Lifecycle.endSession is called after a session.invalidate
> I think that Seam should automatically execute this task during the authentication phase. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list