Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Resolving Session Fixation in JBoss

Tags:

java

security

jboss

I need to prevent Session Fixation, a particular type of session hijacking, in a Java web application running in JBoss. However, it appears that the standard idiom doesn't work in JBoss. Can this be worked around?

like image 373
Warren Blanchet Avatar asked Aug 11 '08 22:08

Warren Blanchet

People also ask

What is session fixation with example?

Session Fixation exampleThe malicious attacker connects to the web server. The web server generates a SID (1234) and issues it to the attacker. The attacker then crafts a malicious URL containing the SID and uses various techniques (i.e – phishing) to trick the victim into clicking the URL.

What is session fixation attack?

Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application.

What is the difference between Session Hijacking and session fixation?

In the session hijacking attack, the attacker attempts to steal the ID of a victim's session after the user logs in. In the session fixation attack, the attacker already has access to a valid session and tries to force the victim to use that particular session for his or her own purposes.

What is session fixation in Java?

Session Fixation is a type of vulnerability, where the attacker can trick a victim into authenticating in the application using Session Identifier provided by the attacker. Unlike Session Hijacking, this does not rely on stealing Session ID of an already authenticated user.

1 Answers

This defect (found here) points the way to the solution. The Tomcat instance that runs in JBoss is configured with emptySessionPath="true", rather than "false", which is the default. This can be modified in .../deploy/jboss-web.deployer/server.xml; both the HTTP and AJP connectors have this option.

The feature itself is used to eliminate the context path (eg. "foo" in http://example.com/foo) from being included in the JSESSIONID cookie. Setting it to false will break applications that rely on cross-application authentication, which includes stuff built using some portal frameworks. It didn't negatively affect the application in question, however.

like image 142
Warren Blanchet Avatar answered Sep 27 '22 22:09

Warren Blanchet
Sign in to Comment

Related questions

Exception in thread "main" java.lang.NoClassDefFoundError: org/openqa/selenium/WebDriver
reference to method is ambiguous when migrating from java8 to java9
java.lang.IndexOutOfBoundsException: setSpan (N ... N) ends beyond length 10500
Does PESSIMISTIC_WRITE lock the whole table?
Generate JNI header files for class files in JDK 10
Spring Boot @RestController enable/disable methods using properties [duplicate]
Spring boot application as dependency
how to avoid default method implementation in swagger codegen interface?
Hibernate @Formula doesn't include Schema
Java Compile Error: Method reference in combination with overloading
Intellij "Could not find or load main class"
listOf() returns MutableList
Monitoring Locks with Java Flight Recorder and Java Mission Control
Cannot find a version of 'com.google.code.findbugs:jsr305' that satisfies the version constraints
Why I get a metaspace error during my gradle build?
Filter values from a list based on priority
What is "primitive interface method" in Java?
Redis: Set different time to live for methods annotated with @Cacheable
How to know if a BigDecimal can exactly convert to float or double?
Apple M1 - Maven Java dependency that is not yet available for macosx-arm64

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!