Skip to main content
M
mkane1
Inspiring
October 15, 2010
Question

Session security issues

  • October 15, 2010
  • 2 replies
  • 1321 views

The application and server security requirements I have to deal with have become quite stringent. A recent issue is whether the J2EE session management is secure. My current practice is to use J2EE Session variables for client information that is set upon login, such as name, email, security role, etc..The only cookie I use is the JSESSIONID that is set by Cold Fusion. In application.cfm, I compare the value of the COOKIE.JSESSIONID to that of the SESSION.sessionid that Cold Fusion sets (because sessionmanagement is set to true). If the values are not identical, the programming considers the user to be not logged in, clears all variables and relocates them to the home page to start all over.

But it is possible for an attacker to somehow get the value of a currently active sessionid and forge the COOKIE.JSESSIONID value to match.

Any thoughts?

    This topic has been closed for replies.

    2 replies

    M
    mkane1Author
    Inspiring
    October 18, 2010

    Thanks for the comments. Hopefully, the security folks will be satisfied that the generated value for the JSESSIONID is sufficently complex that it cannot be easily guessed. I guess I'll have to dig out details about how the value is generated, they'll want to hear something scientific, like encryption algorithms!

    Owainnorth
    Owainnorth
    Inspiring
    October 18, 2010

    Generate yourself a JSESSIONID. If they can guess it, buy them a pint and resign

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    October 15, 2010

    This is true for any session management system, whether it uses cookies or not. But it's difficult to find an active JSESSIONID value, as they're generated using a UUID algorithm. If you're worried about an attacker identifying another user's active session by reading HTTP traffic, use SSL.

    Dave Watts, CTO, Fig Leaf Software

    http://www.figleaf.com/

    http://training.figleaf.com/

    Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

    GSA Schedule, and provides the highest caliber vendor-authorized

    instruction at our training centers, online, or onsite.

    Dave Watts, Eidolon LLC
    M
    mkane1Author
    Inspiring
    October 15, 2010

    Thanks for the reponse, Dave. Using SSL means the entire site has to be HTTPS. Is the performance factor no longer an issue?

    But even if we make the whole site HTTPS, that protects against an attacker stealing cookies, but not against guessing them, right?

    - Michael

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    October 15, 2010

    There is a performance penalty for using SSL, but there are solutions to address that penalty (SSL hardware acceleration). And, no, SSL doesn't prevent anyone from guessing anything, but the point of using a UUID for session tokens is to make guessing extremely difficult even with brute-force repetitive approaches.

    Dave Watts, CTO, Fig Leaf Software

    http://www.figleaf.com/

    http://training.figleaf.com/

    Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

    GSA Schedule, and provides the highest caliber vendor-authorized

    instruction at our training centers, online, or onsite.

    Dave Watts, Eidolon LLC
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices