[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1361) sessionId cookie: man-in-the-middle attack
jira-events at lists.jboss.org
Tue May 29 03:29:08 EDT 2007
[ http://jira.jboss.com/jira/browse/JBSEAM-1361?page=comments#action_12363343 ]
fguerzoni commented on JBSEAM-1361:
By renewing sessionId after authentication, I will be sure that any pre-login sessionId, eventually obtained during unencrypted http connection, will be sent to server.
After authentication, client sare ssl connected with server and sessionId will be crypted.
I agree with Christian: "Session identifier hijacking does not depend on authorization".
I think the problem is that clients could use, when authenticated, sessionId obtained when they were unauthenticated, so potentially unencrypted.
I feel this situation as very dangerous.
> sessionId cookie: man-in-the-middle attack
> Key: JBSEAM-1361
> URL: http://jira.jboss.com/jira/browse/JBSEAM-1361
> Project: JBoss Seam
> Issue Type: Feature Request
> Components: Security
> Affects Versions: 1.2.1.GA
> Environment: general feature
> Reporter: fguerzoni
> Assigned To: Shane Bryzak
> I noticed that sessionId cookie sent to client before authentication remains the same even after login succedeed. This could lead to a man-in-the-middle attack because pre-login sessionId could be easily sniffed.
> So, it would be very nice if it should be possible to do a session switching on server side forcing a pre-login session invalidation and a new session creation (request.getSession(true)) as soon as client authenticates. Old session data should then be copied to new session.
> In this case a new sessionId cookie will be sent to client: client will use this ticket during next requests.
> This mechanism collides with the actual Seam implementations where Lifecycle.endSession is called after a session.invalidate
> I think that Seam should automatically execute this task during the authentication phase.
This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues