1 Reply Latest reply on Sep 15, 2006 8:58 PM by haex

    jesssionid and URL rewriting

    gulloo

      Guys,

      I am having an issue here:

      Platform : JBoss-4.04 on redhat

      when a user logs in to our application( form based auth ), he gets redirected to the home landing page with the URL showing as

      http://salesgene.demo.salesgene.com/salesgene-home.faces;jsessionid=EECFDDBE78B3779711625CA0C5BE634C


      here is the scenario:

      1. cookies are enabled.
      2. however the presence of jsessionid in the URL ...causes me to beleive that this is susceptible to session hijacking

      3. I used the open-source ?wget? command line tool to fetch the pages, I contructed thr following command line from a different PC
      wget --header 'Cookie: JSESSIONID=EECFDDBE78B3779711625CA0C5BE634C' 'http://salesgene.demo.salesgene.com/salesgene-home.faces' -O home.html --post-data

      This will retrieve the HTML of the home page for the user whose sessionID I copied.


      This is obviously a big security hole, and it stems from the fact that I can see the jsessionid in the URL. even https does not help in this case.


      my questions to all the gurus

      -any architecture suggestions to overcome this.
      -how do I supress the jsessionid coming up in the URL ....If that is possible, because once that happens and if we use SSL then we can be sure that our http headers are encrypted and the jsessionid is not visible to sniffers.
      -this test obviously fails on a browser, if I try to hijack a session ID and try to use it on a new browser instance ...I get the login page of our app, the problem is exposed only if i use telnet to port 80 or a tool like wget.

      any help is appreciated.
      thanks,

      Sanjay Gulati
      -