3 Replies Latest reply on Jan 5, 2008 4:25 PM by ahus1

OWASP / New Session after Login

ahus1 Jan 1, 2008 5:28 PM

Hello,

OWASP has compiled a "top 10" vulnerablilities for web applications.

One suggestion against session hijacking was the following: Start a new HTTP-Session after a successful login:

"Consider regenerating a new session upon successful authentication or privilege level change."

http://www.owasp.org/index.php/Top_10_2007-A7

Does anybody have a suggestion how to implement this with seam?

Are there any votes for a change request?

I have thought of invalidating the current HTTP session, creating a new one and copying all elements from the old session to the new session. But Seam 2.0.0 doesn't allow this:

When I use the lowlevel functions this is blocked by IllegalStateException("Please end the HttpSession via Seam.invalidateSession()") in Lifecyle

When I use Seam.invalidateSession(), the session is only destroyed at the end of the request and I am unable to copy any objects.

Thanks, Alexander.

1. Re: OWASP / New Session after Login

shane.bryzak Jan 1, 2008 7:09 PM (in response to ahus1)

Seam currently doesn't support generating a new session in the middle of a request, however the owasp.org page you cited contains a great list of points. Feel free to raise this in JIRA and assign to me (and please include the URL to the list), that way it won't get swept under the rug.
Actions

2. Re: OWASP / New Session after Login

ahus1 Jan 5, 2008 3:54 PM (in response to ahus1)

I found the following workaround to assure that there is a new session after a login: by destroying the original session before the login using a small filter.

This is only a workaround as it destroys the previous session completly -- anything i.e. in a shopping basket will be lost (as my application doesn't have a shopping basket this is not a problem for me).

A "nice" implementation in seam shouldn't have this limitation.

I will open a ticket shortly.

Alexander.

The Java Class:

/**
 * This filter enforces a new session whenever there is a POST, should be mapped
 * to the URL of the login page in your web.xml
 * @author Alexander Schwartz 2007
 */
public class NewSessionFilter implements Filter {
 private Log log = LogFactory.getLog(NewSessionFilter.class);

 private String url;

 public void destroy() {
 // empty.
 }

 public void doFilter(ServletRequest request, ServletResponse response,
 FilterChain chain) throws IOException, ServletException {
 if (request instanceof HttpServletRequest) {
 HttpServletRequest httpRequest = (HttpServletRequest) request;
 if (httpRequest.getMethod().equals("POST")
 && httpRequest.getSession() != null
 && !httpRequest.getSession().isNew()
 && httpRequest.getRequestURI().endsWith(url)) {
 httpRequest.getSession().invalidate();
 httpRequest.getSession(true);
 log.info("new Session:" + httpRequest.getSession().getId());
 }
 }
 chain.doFilter(request, response);
 }

 public void init(FilterConfig filterConfig) throws ServletException {
 url = filterConfig.getInitParameter("url");
 if (url == null) {
 throw new ServletException(
 "please specify parameter 'url' with login URL");
 }
 }

}

The web.xml:

 <filter>
 <display-name>NewSessionFilter</display-name>
 <filter-name>NewSessionFilter</filter-name>
 <filter-class>
 NewSessionFilter
 </filter-class>
 <init-param>
 <param-name>url</param-name>
 <param-value>/iss/login.jsf</param-value>
 </init-param>
 </filter>
 <filter-mapping>
 <filter-name>NewSessionFilter</filter-name>
 <servlet-name>Faces Servlet</servlet-name>
 <url-pattern>/iss/login.jsf</url-pattern>
 <dispatcher>REQUEST</dispatcher>
 </filter-mapping>

3. Re: OWASP / New Session after Login

ahus1 Jan 5, 2008 4:25 PM (in response to ahus1)

There's now

http://jira.jboss.org/jira/browse/JBSEAM-2450

Everybody is free to WATCH this ticket and to VOTE for it.

Thanks, Alexander.
Actions

Go to original post