Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What prevents HttpSession's id from being stolen?

Tags:

java

security

servlets

jakarta-ee

httpsession

In the Java Servlet API, what is done to ensure that someone's session id is not stolen?

For example, if I had an active session and someone somehow get a hold of my session id, could they use it?

like image 951
Brian DiCasa Avatar asked Nov 10 '10 23:11

Brian DiCasa

1 Answers

Nothing prevents it. You get the session ID, you can take part in the session.

In the usual case of cookies this is not a risk in itself. The attacker should not be able to read a user's session cookie unless:

  1. they've got man-in-the-middle capability, in which case you've got much worse problems than just session IDs;

  2. you've left a cross-site-scripting hole, in which case you've got much worse problems than just session IDs;

  3. you're vulnerable to DNS-rebinding/cross-domain-cooking attacks, in which case you should fix it by only allowing known-good Host: requests.

(Whilst you can try tying sessions to IP addresses, this risks breaking valid sessions due to eg round-robin proxies. IPs can be used as part of a wider strategy for detecting suspicious activity, but on the public internet it's not a good idea always to require each request in a session to come from the same IP.)

Unfortunately in Servlet there is another case, apart from cookies: jsessionid= parameters. Since they appear in the URL itself, that makes them much more leaky (eg via referrers and pasted links). And that's far from the only practical problem with parameter session IDs. They mess up navigation and wreck SEO.

In my opinion jsessionid= URLs are one of Servlet's worst early mistakes, a discredited cookie fallback strategy from yesteryear that shouldn't be used for anything. But certainly they shouldn't be allowed to grant access to any privileged data; consider using HTTP Basic Authentication instead if you need a fallback mechanism for browsers that don't support cookies.

In Servlet 3.0 you can disable jsessionid= URLs easily using <session-config> in the web.xml; unfortunately in previous versions you are left mucking around with filters if you want to properly disable the feature.

like image 103
bobince Avatar answered Nov 15 '22 20:11

bobince
Sign in to Comment

Related questions

How to make sure I'm using the "server" JVM?
Recompile decompiled Java (JD / JAD) source that contains goto instructions
Why does Java generate Multiple .class files on compilation?
Java: Open default mail application and create new mail and populate To and Subject fields
How to make Generic Object in java implements an interface
How to use EMF to read XML file?
Is Terracotta a distributed cache?
Hibernate custom join clause on association
Why Java programs use .bat file as program launcher?
java.util.BitSet -- set() doesn't work as expected
StAX - Setting the version and encoding using XMLStreamWriter
Android Broadcast Address
final and private static
JPA EntityManager createQuery() with IN not working
jQuery AJAX call messes up character encoding
Package in Java
DAO methods and synchronized
Session Lost when closing the browser
Understanding Java bytes
Execute my groovy script with ant or maven

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!