Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to protect my JSESSIONID from document.execCommand(“ClearAuthenticationCache”)?

Tags:

cookies

session

tomcat

jsessionid

This might be a duplicate of this question, but the solution proposed isn't viable for us: Protect against 3rd party callers of document.execCommand("ClearAuthenticationCache")? Clears our session cookies

Long story short: IE has a way to clear session cookies using JavaScript - document.execCommand(“ClearAuthenticationCache”). This is used in a variety of web apps including Outlook Web App (and presumably many others). Problem is MS in their infinite wisdom decided that this command should clear session cookies for all open sites (can you tell I'm a little bitter, it took me months to find the source of randomly missing JSESSIONIDs).

We use JSESSIONID as well as another token to make sure the user is authenticated. The JSESSIONID is secure and httpOnly. This works well except when the JSESSIONID is wiped out by a third party. So my question is in two parts:

  1. Is there a way I can protect my session cookies from this (let's assume anything involving client side configuration, such as pinning or registry hacks, is a non-option)?

  2. If not, is there a way for me to securely recover from this? Since the JSESSIONID is httpOnly, the browser shouldn't be able to read it, but maybe there is something I'm not thinking off.

If relevant: we use Tomcat 7 as our webserver. The app is a fairly complex SaaS app, and security is fairly important.

Thanks all.

like image 941
Pyro979 Avatar asked Nov 10 '22 07:11

Pyro979

1 Answers

I believe either of the following options would work to protect servlet sessions from document.execCommand(“ClearAuthenticationCache”):

You could set the max-age of your JSESSIONID in your web.xml. That way your JSESSIONID cookie would no longer be a session cookie! This would make your web application slightly less secure as the cookie would still survive after the browser is closed.

You could abandon HTTP cookies altogether and configure Tomcat to do session tracking with the SSL session ID. I've never actually configured it myself, but I would guess that this is more secure than using JSESSIONID cookies. However, session replication is not possible in this configuration.

like image 77
heenenee Avatar answered Nov 15 '22 07:11

heenenee
Sign in to Comment

Related questions

Cookie expiration is related with Session expiration time of server?
How to check whether session has already open transaction or not in hibernate?
Hostname in tomcat cookies
Tomcat clustering - configuring 2 tomcats on different machines
Php, after change session.name, session ID will be changed everytime I load
How to manage session tokens among various client apps (android/iphone) from server side php and mysql?
JSESSIONID changes on request in chrome
Tornado, Django, Websockets, and Session syncing
Node.js run function on session expiry Express & Passport
Yii can't access session variables
Hibernate session handling when using lazy loading in a JSF web application
Laravel CORS subdomain session
Out of proc SessionState memory management
Issue with session_regenerate_id and Chrome prefetch/render
Does Laravel regenerate the Session ID? (compared to CodeIgniter)
AEM session object not garbaged collected
How do I get and set an object in session scope in JSF?
How to consume Session dependent WCF services using Ksoap2-Android

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!