[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-2450) OWASP / New Session after Login
ahus1 (JIRA)
jira-events at lists.jboss.org
Sat Jan 5 16:23:59 EST 2008
OWASP / New Session after Login
-------------------------------
Key: JBSEAM-2450
URL: http://jira.jboss.com/jira/browse/JBSEAM-2450
Project: JBoss Seam
Issue Type: Feature Request
Affects Versions: 2.0.0.GA
Environment: Linux 2.6, jetty 6.1.5, java 6
Reporter: ahus1
Hello,
OWASP has compiled a "top 10" vulnerablilities for web applications.
One suggestion against session hijacking was the following: Start a new HTTP-Session after a successful login:
"Consider regenerating a new session upon successful authentication or privilege level change."
http://www.owasp.org/index.php/Top_10_2007-A7
Therefore there should be a (configurable?) switch to choose "continue with new session ID after successful log on"
I have thought of invalidating the current HTTP session, creating a new one and copying all elements from the old session to the new session in my Authenticator. But Seam 2.0.0 doesn't allow this: When I use the lowlevel functions this is blocked by IllegalStateException("Please end the HttpSession via Seam.invalidateSession()") in Lifecyle. When I use Seam.invalidateSession(), the session is only destroyed at the end of the request and I am unable to copy any objects in my Authenticator as the new session doesn't exist yet.
The workaround I have come up with is a filter, that destroys the complete session before the log in.
This is not very elegant, but it works for me as I don't have i.e. a shoping basket that I'd like to preserve.
A "nice" implementation in seam shouldn't have this limitation.
shane.bryzak at jboss.com asked for this ticket to be assigned to her.
The Java Class:
Code:
/**
* This filter enforces a new session whenever there is a POST, should be mapped
* to the URL of the login page in your web.xml
* @author Alexander Schwartz 2007
*/
public class NewSessionFilter implements Filter {
private Log log = LogFactory.getLog(NewSessionFilter.class);
private String url;
public void destroy() {
// empty.
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
if (request instanceof HttpServletRequest) {
HttpServletRequest httpRequest = (HttpServletRequest) request;
if (httpRequest.getMethod().equals("POST")
&& httpRequest.getSession() != null
&& !httpRequest.getSession().isNew()
&& httpRequest.getRequestURI().endsWith(url)) {
httpRequest.getSession().invalidate();
httpRequest.getSession(true);
log.info("new Session:" + httpRequest.getSession().getId());
}
}
chain.doFilter(request, response);
}
public void init(FilterConfig filterConfig) throws ServletException {
url = filterConfig.getInitParameter("url");
if (url == null) {
throw new ServletException(
"please specify parameter 'url' with login URL");
}
}
}
The web.xml:
Code:
<filter>
<display-name>NewSessionFilter</display-name>
<filter-name>NewSessionFilter</filter-name>
<filter-class>
NewSessionFilter
</filter-class>
<init-param>
<param-name>url</param-name>
<param-value>/iss/login.jsf</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>NewSessionFilter</filter-name>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/iss/login.jsf</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list