Hi ,
Now our security team reported an issue Session Fixation : after user login project on machine A , if i copy cookie JSESSIONID to the machine B , the user on machineB can view the private content of the project ,
so do you have any advice about this issue , thanks !
Steps to Reproduce:
1. Get cookie from the browser on machine A.
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=DWQ6ztJvJeEZA77uVzE3Dg__
^^^^^^^^^^^^^^^^^^^^^^^^
Connection: keep-alive
Cache-Control: max-age=0
2. Clear cookie of browser on machine B.
3. Request project homepage on machine B and modify the set-cookie to A's cookie in the response.
GET XXX HTTP/1.1
Host: XXXXXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 15 Aug 2013 10:45:23 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=DWQ6ztJvJeEZA77uVzE3Dg__; Path=/; Secure
^^^^^^^^^^^^^^^^^^^^^^^^^
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 24896
4. Login in browser of machine B.
Actual results:
Both machine A and B login the project successfully.
Expected results:
Machine A should not login without providing any credential.
Additional info:
Attacker can modify user's cookie by sending a malicious link to user.