4 Replies Latest reply on Dec 12, 2013 4:10 AM by Anuradha K

    How to avoid Session Fixation

    Wells G Novice

      Hi ,

       

            Now our security team reported an issue Session Fixation :    after user login project on machine A , if i copy cookie JSESSIONID to the machine B , the user on machineB can view the private content of the project ,

      so do you have any advice about this issue ,  thanks !

        • 1. Re: How to avoid Session Fixation
          Wells G Novice

          Steps to Reproduce:

          1. Get cookie from the browser on machine A.

          User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

          Accept-Language: en-US,en;q=0.5

          Accept-Encoding: gzip, deflate

          Cookie: JSESSIONID=DWQ6ztJvJeEZA77uVzE3Dg__

            ^^^^^^^^^^^^^^^^^^^^^^^^

          Connection: keep-alive

          Cache-Control: max-age=0

           

          2. Clear cookie of browser on machine B.

           

          3. Request project homepage on machine B and modify the set-cookie to A's cookie in the response.

          GET XXX HTTP/1.1

          Host: XXXXXX

          User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

          Accept-Language: en-US,en;q=0.5

          Accept-Encoding: gzip, deflate

          Connection: keep-alive

           

          HTTP/1.1 200 OK

          Date: Thu, 15 Aug 2013 10:45:23 GMT

          X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1

          Set-Cookie: JSESSIONID=DWQ6ztJvJeEZA77uVzE3Dg__; Path=/; Secure

            ^^^^^^^^^^^^^^^^^^^^^^^^^

          Cache-Control: no-cache

          Content-Type: text/html;charset=UTF-8

          Keep-Alive: timeout=15, max=100

          Connection: Keep-Alive

          Content-Length: 24896

           

          4. Login in browser of machine B.

           

          Actual results:

          Both machine A and B login the project successfully.

           

          Expected results:

          Machine A should not login without providing any credential.

           

          Additional info: 

          Attacker can modify user's cookie by sending a malicious link to user.

          • 2. Re: How to avoid Session Fixation
            Tomaz Cerar Master

            moved to JBoss < 7 forums.

            • 3. Re: How to avoid Session Fixation
              Wells G Novice

              Hi Tomaz ,

                   We have another project which based on JBossAS 7 ,   also have the same problem .

              • 4. Re: How to avoid Session Fixation
                Anuradha K Newbie

                Hi,

                   We are using Jboss 7.0.13 Final. We are having session fixation issue. Could you please address the issue?