[Java-project] Session Fixation

Stephen de Vries stephen at corsaire.com
Mon Aug 14 06:19:14 EDT 2006


On 10 Aug 2006, at 23:15, Ferguson, David wrote:

> Three things that would definitely help are:
>
> 1. Generate the session ID after authentication.  Some applications  
> set a cookie (JSESSIONID for example) into the browser upon hitting  
> the login page and continue to use the same ID for session  
> management after successful login.  This makes it possible for  
> someone to grab valid session ID's that could be used for an  
> attack.  The session ID should be set after authentication OR a new  
> value should be created after authentication.
>
> 2. Make sure the application is free from XSS vulnerabilities -  
> black list the dangerous chars and use output encoding on dynamic  
> values when generating the HTML.

Excuse my nitpicking:
Ideally, this should be done using full white-list based input  
validation and output encoding.  Unless you're using plain old JSPs,  
chances are the view technology already has output encoding built in  
- better to use that than grow your own.

>
> 3. If using cookies, make sure it is a secure cookie, meaning the  
> browser will not send it unless it's an https request.  You should  
> see "; secure" at the end of the Set-Cookie header in the response


-- 
Stephen de Vries
Corsaire Ltd
E-mail: stephen at corsaire.com
Tel:	+44 1483 226014
Fax: 	+44 1483 226068
Web: 	http://www.corsaire.com






More information about the Java-project mailing list