[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2450) OWASP / New Session after Login
ahus1 (JIRA)
jira-events at lists.jboss.org
Sat Sep 27 11:04:20 EDT 2008
[ https://jira.jboss.org/jira/browse/JBSEAM-2450?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12431471#action_12431471 ]
ahus1 commented on JBSEAM-2450:
-------------------------------
I was having problems with the filter above handling the proper restore of the view context when changing from client side session to server side sessions.
I redesigned the concept a bit:
(1) login in (with a POST request) and mark the session to replaced with a new session.
(2) on the next GET-Request (the redirect using with almost all seam processing) will create a new session; all elements from the old session will be copied to the new session.
As no view needs to be restored with GET requests, there are no more problems to this concept.
Marking of a session to be replaced by a new session is done by a session attribute.
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
if (request instanceof HttpServletRequest) {
HttpServletRequest httpRequest = (HttpServletRequest) request;
if (httpRequest.getMethod().equals("GET")
&& httpRequest.getSession() != null
&& httpRequest.getSession().getAttribute(NEW_SESSION_INDICATOR) != null
&& !Contexts.isEventContextActive()
&& !Contexts.isApplicationContextActive()) {
HttpSession session = httpRequest.getSession();
HashMap<String, Object> old = new HashMap<String, Object>();
Enumeration<String> keys = (Enumeration<String>) session
.getAttributeNames();
while (keys.hasMoreElements()) {
String key = keys.nextElement();
if (!NEW_SESSION_INDICATOR.equals(key)) {
old.put(key, session.getAttribute(key));
}
}
log.info("session invalidated on " + httpRequest.getRequestURI());
session.invalidate();
session = httpRequest.getSession(true);
for (String key : old.keySet()) {
session.setAttribute(key, old.get(key));
}
log.info((new StringBuilder()).append("new Session for URI '").append(
httpRequest.getRequestURI()).append("':").append(session.getId())
.toString());
}
}
chain.doFilter(request, response);
}
> OWASP / New Session after Login
> -------------------------------
>
> Key: JBSEAM-2450
> URL: https://jira.jboss.org/jira/browse/JBSEAM-2450
> Project: Seam
> Issue Type: Feature Request
> Components: Security
> Affects Versions: 2.0.0.GA
> Environment: Linux 2.6, jetty 6.1.5, java 6
> Reporter: ahus1
> Assignee: Shane Bryzak
>
> Hello,
> OWASP has compiled a "top 10" vulnerablilities for web applications.
> One suggestion against session hijacking was the following: Start a new HTTP-Session after a successful login:
> "Consider regenerating a new session upon successful authentication or privilege level change."
> http://www.owasp.org/index.php/Top_10_2007-A7
> Therefore there should be a (configurable?) switch to choose "continue with new session ID after successful log on"
> I have thought of invalidating the current HTTP session, creating a new one and copying all elements from the old session to the new session in my Authenticator. But Seam 2.0.0 doesn't allow this: When I use the lowlevel functions this is blocked by IllegalStateException("Please end the HttpSession via Seam.invalidateSession()") in Lifecyle. When I use Seam.invalidateSession(), the session is only destroyed at the end of the request and I am unable to copy any objects in my Authenticator as the new session doesn't exist yet.
> The workaround I have come up with is a filter, that destroys the complete session before the log in.
> This is not very elegant, but it works for me as I don't have i.e. a shoping basket that I'd like to preserve.
> A "nice" implementation in seam shouldn't have this limitation.
> shane.bryzak at jboss.com asked for this ticket to be assigned to her.
> The Java Class:
> Code:
> /**
> * This filter enforces a new session whenever there is a POST, should be mapped
> * to the URL of the login page in your web.xml
> * @author Alexander Schwartz 2007
> */
> public class NewSessionFilter implements Filter {
> private Log log = LogFactory.getLog(NewSessionFilter.class);
>
> private String url;
>
> public void destroy() {
> // empty.
> }
>
> public void doFilter(ServletRequest request, ServletResponse response,
> FilterChain chain) throws IOException, ServletException {
> if (request instanceof HttpServletRequest) {
> HttpServletRequest httpRequest = (HttpServletRequest) request;
> if (httpRequest.getMethod().equals("POST")
> && httpRequest.getSession() != null
> && !httpRequest.getSession().isNew()
> && httpRequest.getRequestURI().endsWith(url)) {
> httpRequest.getSession().invalidate();
> httpRequest.getSession(true);
> log.info("new Session:" + httpRequest.getSession().getId());
> }
> }
> chain.doFilter(request, response);
> }
>
> public void init(FilterConfig filterConfig) throws ServletException {
> url = filterConfig.getInitParameter("url");
> if (url == null) {
> throw new ServletException(
> "please specify parameter 'url' with login URL");
> }
> }
>
> }
>
> The web.xml:
> Code:
> <filter>
> <display-name>NewSessionFilter</display-name>
> <filter-name>NewSessionFilter</filter-name>
> <filter-class>
> NewSessionFilter
> </filter-class>
> <init-param>
> <param-name>url</param-name>
> <param-value>/iss/login.jsf</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>NewSessionFilter</filter-name>
> <servlet-name>Faces Servlet</servlet-name>
> <url-pattern>/iss/login.jsf</url-pattern>
> <dispatcher>REQUEST</dispatcher>
> </filter-mapping>
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list