You can't configure undertow with org.apache.catalina.* system property. Changing session is default behaviour in undertow [1] from some point. Can you upgrade?

[1] [UNDERTOW-579] Default authentication behavior vulnerable to session fixation attacks - JBoss Issue Tracker

I strongly encourage you to upgrade to WildFly 10.0.0.Final, where this issue is fixed.  Otherwise, as mchoma mentioned, you can manually upgrade Undertow to 1.1.10.Final.

Hi Paul,

Sorry for asking. we are on WildFly 10 and facing same issue. Do we have to do some configuration changes to enable such behaviour. If yes, can you help me with needed cofiguration change for undertow ?

Thanks,

Abhinav

What mechanism are you using to authenticate users?  This behavior only triggers when standard servlet authentication is used.

we are using form based authentication.

Hello,

To update , I overcome it by writing a custom filter for it. It works nicely.

The jsessionid *must not* change after login,

this would violate the servlet specification.  (Chapter Security, Login and Logout):

,, ...

Containers may create HTTP Session objects to track login state. If a developer

creates a session while a user is not authenticated, and the container then

authenticates the user, the session visible to developer code after login must be the

same session object that was created prior to login occurring so that there is no loss

of session information.''

So the behavour of wildfly is as specified.

Agreed from specification perspective, but per security recommendations , if a user open a form based authentication page ( didn't enter credentials yet ) and a hacker got access to jsessionid , then post real user validation that can be used to gain access to system without knowing credentials.

Not sure , if we have some other way to prevent it.

Thoughts ?

Yes, imagine hacker send url with sessionId and user click on it. In this case it is good application changes session id after login.

i dont see why changing a jsessionid is increasing the security.

Let us assume the communication between client and login page is https,

then an attacker can get the jsessionid only on two ways

(1) The attacker was able to get it from the login page

==> Then you have a much bigger problem

(2) From the client directly

==> The he will also be able to get a new jsessionid.

From where did you get this security recommendation ?

Internally we get recommendations from internal product security, but its a common session fixation issue.

https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)

i thought we are talking about jessionid with cookies.

jsessionid in URL allows session fixation attacks.

The solution here is easy: ,,disable  jsessionid with URL rewriting''.

From the servlet specifiaction ==>

,, URL rewriting should not be used as a session tracking mechanism where

cookies or SSL sessions are supported and suitable.''

Or do you have a reason to allow browsers access to your application that

dont accept cookies ?

example (web.xml)

<session-config>

   <tracking-mode>COOKIE</tracking-mode>

   <cookie-config>

       <http-only>true</http-only>   <!-- dont allow reading the sessionid with javascript -->

       <secure>true</secure>   <!-- only https -->

   </cookie-config>

</session-config>

hope this helps.

Hi Abhinav : Have you  got the solution, As i am also facing the same issue.

                    i am using the Wildfly 18 and Jboss Seam Framework(2.2.2)

Thanks In Advance 

bschatz  wrote:

 

The jsessionid *must not* change after login,

this would violate the servlet specification.  (Chapter Security, Login and Logout):

 

,, ...

Containers may create HTTP Session objects to track login state. If a developer

creates a session while a user is not authenticated, and the container then

authenticates the user, the session visible to developer code after login must be the

same session object that was created prior to login occurring so that there is no loss

of session information.''

 

So the behavour of wildfly is as specified.

I think you are misinterpreting the specification.  This above snippet says nothing about the session identifier, only the session object.  A session identifier is a property of a session object and can change independently.  Thus the session object can be the same before and after login, even if the identifier changes.  Nor is the old session identifier truly "lost", as it is available to registered HttpSessionIdListeners.