Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

what is the vulnerability of having Jsessionid on first request only

Tags:

security

jsessionid

Recently we removed jsessionid from URL did cookies based session management to prevent "session hijacking attack"

But we found that first request URL always has jsessionid when cookies are enabled and subsequent request URL has NO jsessionid.

using the jsessionid from first url we could directly hit other pages in the workflow

Question : is there any security vulnerability exposing jsessionid only on first request?

There is a solution to remove jsessionid from first request , but wanted to check , if its really vulnerable to mandate the changes

thanks J

EDIT : I got my doubt clarified. Thanks for replies.

like image 648
Jenga Blocks Avatar asked Dec 17 '22 18:12

Jenga Blocks

2 Answers

What you've done here could improve the overall security of the solution somewhat, but won't necessarily prevent session hijacking.

the security issue with placing the session ID in the URL is that URLs are exposed in various places (eg, copy and pasted URLs could expose a live session, URLs can be stored in proxy server logs, web server logs and browser history), which could allow an attacker to grab a valid session ID and get access to your users data.

Ideally you should remove the JSESSIONID from the URL in all places, and only use cookie storage.

Additionally if you want to mitiate Session hijacking there's a number of other areas to consider.

You need to use SSL on all pages where the session ID is passed (this is to mitigate the risk of the session ID being intercepted in transit (eg, the Firesheep attack).

If the session ID is set before you authenticate the user, you should ensure that a new session ID is issued when the user logs in.

Also if possible the session cookies should be use of the httpOnly and secure flags, to reduce the risk of them being leaked over cleartext channels.

There's some good additional information on the OWASP Site

BTW if you've got more question on the security side of things, there's a stack exchange site specifically for that at Security.stackexchange.com

like image 143
Rory McCune Avatar answered Dec 28 '22 11:12

Rory McCune

did cookies based session management to prevent "session hijacking attack"

Whats stopping the cookie being hijacked?

Session managment is a server side thing - You need to server to check (based on the cookie) that the user is meant to be logged in.

I don't think you've improved security here at all to be honest, take a look at this excellent article to see why.

like image 41
m.edmondson Avatar answered Dec 28 '22 09:12

m.edmondson
Sign in to Comment

Related questions

How can I get the active user name in a SYSTEM process using C++?
How to Download Files From 115.com?
How to secure app - backend communications?
How does one run Java 8's nashorn under a SecurityManager
MySQL "INSERT" and SQL injection
Purpose of using permitAll() in PreAuthorize annotation in Spring Security
Is secure to use a md5 hash as registering string token?
Is storing aws cognito JWT key in frontend javascript insecure?
j_security_check and JAAS
Unlinked web pages on a server - security hole?
Is it possible to write malware that runs on .NET?
Accessing private static methods from a public static context
Prevent query string manipulation by adding a hash?
How do I limit the size of a Net::HTTP request?
What's the point in providing an MD5 or SHA1 hash along with a downloadable executable?
Is It Possible To Reconstruct a Cryptographic Hash's Key
Should a web page with a login form be secured?
avoid session hijacking for Web Applications
Is it a bad idea to automatically log users in from an email?
What steps can be taken to ensure the security of a PHP application?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!