[jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-2450) OWASP / New Session after Login

Christian Bauer (JIRA) jira-events at lists.jboss.org
Mon Jun 8 08:07:56 EDT 2009


     [ https://jira.jboss.org/jira/browse/JBSEAM-2450?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Christian Bauer updated JBSEAM-2450:
------------------------------------

    Comment: was deleted


> OWASP / New Session after Login
> -------------------------------
>
>                 Key: JBSEAM-2450
>                 URL: https://jira.jboss.org/jira/browse/JBSEAM-2450
>             Project: Seam
>          Issue Type: Feature Request
>          Components: Security
>    Affects Versions: 2.0.0.GA
>         Environment: Linux 2.6, jetty 6.1.5, java 6
>            Reporter: Alexander Schwartz
>            Assignee: Shane Bryzak
>         Attachments: NewSessionFilter.java
>
>
> Hello,
> OWASP has compiled a "top 10" vulnerablilities for web applications.
> One suggestion against session hijacking was the following: Start a new HTTP-Session after a successful login:
> "Consider regenerating a new session upon successful authentication or privilege level change."
>    http://www.owasp.org/index.php/Top_10_2007-A7
> Therefore there should be a (configurable?) switch to choose "continue with new session ID after successful log on"
> I have thought of invalidating the current HTTP session, creating a new one and copying all elements from the old session to the new session in my Authenticator. But Seam 2.0.0 doesn't allow this: When I use the lowlevel functions this is blocked by IllegalStateException("Please end the HttpSession via Seam.invalidateSession()") in Lifecyle. When I use Seam.invalidateSession(), the session is only destroyed at the end of the request and I am unable to copy any objects in my Authenticator as the new session doesn't exist yet. 
> The workaround I have come up with is a filter, that destroys the complete session before the log in. 
> This is not very elegant, but it works for me as I don't have i.e. a shoping basket that I'd like to preserve.
> A "nice" implementation in seam shouldn't have this limitation. 
> shane.bryzak at jboss.com asked for this ticket to be assigned to her.
> The Java Class:
> Code:
> /**
>  * This filter enforces a new session whenever there is a POST, should be mapped
>  * to the URL of the login page in your web.xml
>  * @author Alexander Schwartz 2007
>  */
> public class NewSessionFilter implements Filter {
>   private Log log = LogFactory.getLog(NewSessionFilter.class);
>   
>   private String url;
>   
>   public void destroy() {
>     // empty.
>   }
>   
>   public void doFilter(ServletRequest request, ServletResponse response,
>       FilterChain chain) throws IOException, ServletException {
>     if (request instanceof HttpServletRequest) {
>       HttpServletRequest httpRequest = (HttpServletRequest) request;
>       if (httpRequest.getMethod().equals("POST")
>           && httpRequest.getSession() != null
>           && !httpRequest.getSession().isNew()
>           && httpRequest.getRequestURI().endsWith(url)) {
>         httpRequest.getSession().invalidate();
>         httpRequest.getSession(true);
>         log.info("new Session:" + httpRequest.getSession().getId());
>       }
>     }
>     chain.doFilter(request, response);
>   }
>   
>   public void init(FilterConfig filterConfig) throws ServletException {
>     url = filterConfig.getInitParameter("url");
>     if (url == null) {
>       throw new ServletException(
>           "please specify parameter 'url' with login URL");
>     }
>   }
>   
> }
> 	
> The web.xml:
> Code:
> 	<filter>
> 		<display-name>NewSessionFilter</display-name>
> 		<filter-name>NewSessionFilter</filter-name>
> 		<filter-class>
> 			NewSessionFilter
> 		</filter-class>
> 		<init-param>
> 			<param-name>url</param-name>
> 			<param-value>/iss/login.jsf</param-value>
> 		</init-param>
> 	</filter>
> 	<filter-mapping>
> 		<filter-name>NewSessionFilter</filter-name>
> 		<servlet-name>Faces Servlet</servlet-name>
> 		<url-pattern>/iss/login.jsf</url-pattern>
> 		<dispatcher>REQUEST</dispatcher>
> 	</filter-mapping>
> 	 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        



More information about the seam-issues mailing list