[Java-project] Session Fixation

Jeff Williams jeff.williams at owasp.org
Thu Aug 10 15:15:22 EDT 2006

I think it's important to remind developers to call session.invalidate() and
then request.getSession(true) every time they 1) authenticate, 2) logout, 3)
switch into SSL, 4) switch out of SSL.  Of course if they're using their own
session id scheme (bad idea) then it better not accept unknown sessionid's
and create a session with them.


While we're on the subject, url-rewriting is a really bad idea.  It puts the
sessionid in the URL where it is pretty likely to get bookmarked, emailed to
others, included in a referer header, or logged somewhere.





From: java-project-bounces at lists.owasp.org
[mailto:java-project-bounces at lists.owasp.org] On Behalf Of Ferguson, David
Sent: Thursday, August 10, 2006 12:16 PM
To: java-project at lists.owasp.org
Subject: Re: [Java-project] Session Fixation


Three things that would definitely help are:


1. Generate the session ID after authentication.  Some applications set a
cookie (JSESSIONID for example) into the browser upon hitting the login page
and continue to use the same ID for session management after successful
login.  This makes it possible for someone to grab valid session ID's that
could be used for an attack.  The session ID should be set after
authentication OR a new value should be created after authentication.


2. Make sure the application is free from XSS vulnerabilities - black list
the dangerous chars and use output encoding on dynamic values when
generating the HTML.


3. If using cookies, make sure it is a secure cookie, meaning the browser
will not send it unless it's an https request.  You should see "; secure" at
the end of the Set-Cookie header in the response.





From: java-project-bounces at lists.owasp.org on behalf of Rohyt Belani
Sent: Wed 8/9/2006 5:33 PM
To: java-project at lists.owasp.org
Subject: [Java-project] Session Fixation

Question for all you java experts:

What is a practical fix for session fixation in a jsp web application?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/java-project/attachments/20060810/0a04700f/attachment-0002.html 

More information about the Java-project mailing list