Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does the Play! framework have any built in mechanism to prevent session hijacking?

I've read that the play framework solves the session fixation issue by hashing the session id with the application key, but does it provide any mechanism to prevent session hijacking, or is this left up to the implementor?

like image 407
marchaos Avatar asked Jan 04 '12 17:01

marchaos


People also ask

Why play framework is used?

Play Framework makes it easy to build web applications with Java & Scala. Play is based on a lightweight, stateless, web-friendly architecture. Built on Akka, Play provides predictable and minimal resource consumption (CPU, memory, threads) for highly-scalable applications.

What is the default session cookie name set by the Play framework?

The default name for the cookie is PLAY_SESSION . This can be changed by configuring the key session. cookieName in application. conf.”


1 Answers

The play documentation has a good section on security, so rather than duplicate, here is a link - http://www.playframework.org/documentation/1.2.4/security.

It covers

  • XSS
  • SQL Injection
  • Session security
  • Cross site request forgery

Some you have to implement yourself, others you don't.

Your specific question about session hijacking is automatic.

The session is a hash of key/values, signed but not encrypted. That means that as long as your secret is safe, it is not possible for a third-party to forge sessions.

like image 183
Codemwnci Avatar answered Oct 06 '22 14:10

Codemwnci