1 2 Previous Next 27 Replies Latest reply on Aug 25, 2016 5:34 AM by jfclere

    Change of jsessionid after login

    singhakanksha

      Hi,

       

      I have an issue related to the change of JSESSIONID on login.

      I am working on an ATG ecommerce application, where I am using jboss-eap-4.2 server and ATG9.1. We have a critical security issue which says that after login, the session id does not change. As this could lead to a "middle-man-attack", we need to change the session id after every login.

      In our login page, we have a cookie for  "remember me" functionality that stores only the username id (and not password). I could see that the cookie stores the JSESSIONID, which does not change after login. As a security fix, I have made the cookie as "secure". But this still does not solve our problem.

      How can we make sure that the session id is being changed or a new session is created and all data related to the previous session( session attributes and cookies) is copied over to the new one?

       

      I am new to the Jboss community. Kindly let me know if any other information is also required.

       

      Thanks in Advance

       

      Regards

      Akanksha

        • 1. Re: Change of jsessionid after login
          quincyleung

          Hi Akanksha,

          I am experiencing the same problem.

          It happens when a user logout and relogin using the same browser window.

           

          I tried to google it a bit and tried the following but both do not work

          1) setting -Dorg.apache.catalina.connector.Request.SESSION_ID_CHECK=true

          2) removing jsessionid cookies when invalidate the session during logout

           

          I am using jboss 4.2.3 here.

           

          Hope someone can lend us a hand.

          • 2. Re: Change of jsessionid after login
            shantanu.u

            Did anyone find a solution to this ? I'm using jboss 4.2.3 as well.

             

            When user goes to the welcome page ( not logged in yet ), a session id is created.

            When user enters the credentials, and successfully logs in, the same session id is used.

             

            I don't see this problem in Tomcat.

             

            org.apache.catalina.connector.Request.SESSION_ID_CHECK does not work.

            • 3. Re: Change of jsessionid after login
              jfclere

              emptySessionPath in the Connector?

              • 4. Re: Change of jsessionid after login
                shantanu.u

                I read the documentation on SESSION_ID_CHECK and emptySessionPath. Can  you please explain how these solve the problem ? I guess these fixes have helped some and not worked for others.

                • 5. Re: Change of jsessionid after login
                  jfclere

                  SESSION_ID_CHECK allows a sessionif to be reused if it is already used in any application of the container.

                  emptySessionPath sets the cookie path to / so the cookie is shared between the webapps. (if you are using a portal you may need it).

                  • 6. Re: Change of jsessionid after login
                    shantanu.u

                    I have tomcat 6.0.35 in local dev env and jboss 4.2.3 on unix. 

                    This problem only happens on jboss. If I make the tomcat within Jboss the same as my standalong local tomcat, it should work. Sounds simple.

                     

                    Tomcat, by default shows the path in the http headers. Therefore, I set emptySessionPath="false" in \server\default\deploy\jboss-web.deployer\server.xml

                    Now I see the path. Great ! But that doesnt fix the problem.

                     

                    Is it possible that changeSessionIdOnAuthentication is the culprit ? If so, where do I set this in Jboss ?

                    • 7. Re: Change of jsessionid after login
                      shantanu.u

                      Quincy,Were you able to resolve the session id fixation problem ? If so , can you post it here. Thanks.

                      • 8. Re: Change of jsessionid after login
                        shantanu.u

                        Since I'm using j_security_check authentication...how can the session be invalidated when using Container managed authentication ? My login module is in a common jar and I cannot modify that code. I would need some kind of a login pre processor to do this.

                        • 9. Re: Change of jsessionid after login
                          al.stream

                          I think I have a simple solution. Invalidate the session and delete the cookie name jsessionid!

                           

                          -- login page code:

                           

                          a) Call the invalidate function for the httpsession

                          b) Tell client to delete the cookie named jsessionid

                           

                          -- User example


                          1. User goes to webpage, which is http, gets a session and jsessionid

                          2. User goes to login page, which is HTTPS

                          3. The login page invalidates the session and deletes the jsessionid cookie for good measure

                          4. Whatever page the user goes to after the login page, is issued a new jsessionid cookie

                           

                          Seems to work after some initial testing, but probably will have to experiment more. The one thing I need to verify is that the first jsessionid is indeed purged from the session id list.

                          • 10. Re: Change of jsessionid after login
                            endrigoantonini

                            I know there is a long time of this post, but I'm having the same problem!

                             

                            But I'm using JBoss 7.x.x.

                             

                            Is there any way to regen the sessionId to the user?

                            I'm using a custom login module.

                            • 11. Re: Change of jsessionid after login
                              greco

                              I'm trying to find an answer as well. I don't understand why they rejected your ticket to begin with, it seemed valid on all points.

                              • 12. Re: Change of jsessionid after login
                                endrigoantonini

                                I agree with you.

                                I just commment on the issue to understand why he closed it.

                                 

                                To all the people that are having the same issue or problem, here is the issue that I created. AS7-5315

                                 

                                Reason: Fix the URL to the issue Message was edited by: Endrigo Antonini

                                • 13. Re: Change of jsessionid after login
                                  greco

                                  I figured it out!! You need to write a custom FormAuthenticator that sets the change session id on authentication to true before the call to authenticate and add it as a valve in your jboss-web.xml.

                                   

                                  Here's what I did:

                                   

                                  Write a custom FormAuthenticator

                                  import java.io.IOException;
                                  
                                  import javax.servlet.http.HttpServletResponse;
                                  
                                  import org.apache.catalina.authenticator.FormAuthenticator;
                                  import org.apache.catalina.connector.Request;
                                  import org.apache.catalina.deploy.LoginConfig;
                                  
                                  public class MyAuthenticator
                                     extends FormAuthenticator
                                  { 
                                     @Override
                                     public boolean authenticate(final Request request,
                                        final HttpServletResponse response,
                                        final LoginConfig config) throws IOException
                                     {
                                        setChangeSessionIdOnAuthentication(true);
                                  
                                        return super.authenticate(request, response, config);
                                     }
                                  }
                                  

                                   

                                  Add the valve config to your jboss-web.xml

                                  <jboss-web>
                                      <context-root>/<!-- your app context></context-root>
                                      <security-domain><!-- your domain --></security-domain>
                                      <valve>
                                          <class-name>com.domain.path.to.your.MyAuthenticator</class-name>
                                      </valve>
                                  </jboss-web>
                                  

                                   

                                  If you are using maven make sure you use the correct version of the catalina libraries. Add this to your pom.xml

                                  <dependency>
                                        <groupId>org.apache.tomcat</groupId>
                                        <artifactId>tomcat-catalina</artifactId>
                                        <version>7.0.27</version>
                                        <scope>provided</scope>
                                  </dependency>
                                  

                                   

                                  That's all I had to do on AS7 (7.0.2). On 7.1.1 I believe its the same approach but instead of extending the FormAuthenticator from the catalina jar you need to work with the org.jboss.as.web.security.ExtendedFormAuthenticator.

                                   

                                  The session is now changed prior to authentication and sesson fixation is no longer an issue.

                                  1 of 1 people found this helpful
                                  • 14. Re: Change of jsessionid after login
                                    endrigoantonini

                                    Thanks Greco!

                                     

                                    I'll try this solution!!

                                    1 2 Previous Next