[Ph4nt0m] [zz]JSESSIONID Regeneration in Struts 2

Fri, 05 Sep 2008 00:02:01 -0700 

 

Background

Whenever a user crosses an authentication boundary, the user's session ID
should be regenerated. This concept applies to a user logging into an
application, logging out, or when a user reauthenticates due to a risk-based
authentication process. The regeneration of session IDs is an important
practice that helps eliminate session fixation vulnerabilities and may limit
the impact of session theft vulnerabilities prior to authentication.

For more information on Session Fixation vulnerabilities and Session ID
regeneration practices, please see the OWASP pages below:

http://www.owasp.org/index.php/Session_Fixation
http://www.owasp.org/index.php/Session_Management#Regeneration_of_Session_To
kens

Session ID Regeneration in Traditional Java Web Applications

In a J2EE application, the user's JSESSIONID cookie should be regenerated
and the previous session should be removed or deleted from the server.
Example code below shows how this might be accomplished in a traditional
Java web application.

public class ExampleLoginServlet extends HttpServlet {


public void doGet(HttpServletRequest request, HttpServletResponse response)


     throws ServletException, IOException {


     if( //authentication was successful ) {


        request.getSession().invalidate();


        HttpSession session = request.getSession(true);


        session.setAttribute("AUTHENTICATED", new Boolean(true));


        response.sendRedirect("PageRequiringAuthentication.jsp");


//Additional Code Would Normally Follow

Session ID Regeneration in Struts 2 Applications

In Struts 2 applications, developers typically don't directly interact with
the HttpServletRequest, HTTPServletResponse, or HttpSession objects. With
consideration of these factors, the solution discussed above for a
traditional Java web application may not be appropriate for Struts 2.

I did a little research and through trial an error I came up with a Struts 2
specific solution for regenerating JSESSIONIDs. This solution utilizes the
SessionAware interface. Please excuse the unrealistic authentication code...

package nickcoblentzblog.actions.sessions;





import java.util.Map;


import org.apache.struts2.interceptor.SessionAware;


import com.opensymphony.xwork2.ActionContext;


import com.opensymphony.xwork2.ActionSupport;


import org.apache.struts2.dispatcher.SessionMap;





public class Login extends ActionSupport implements SessionAware  {


private String userid;


private String password;


private Map session;





public String execute() {


  if(userid.equals("admin") && password.equals("admin"))  {





     /* Session ID Regeneration: Try #4 */


     ((SessionMap)this.session).invalidate();


     this.session = ActionContext.getContext().getSession();


     /* End Try #4 */





     session.put("AUTHENTICATED", new Boolean(true));








     return SUCCESS;


  }


  else


     return ERROR;


}


public String getUserid() {


  return userid;


}


public void setUserid(String userid) {


  this.userid = userid;


}


public String getPassword() {


  return password;


}


public void setPassword(String password) {


  this.password = password;


}





public void setSession(Map session) {


  this.session = session;


}


}

To test this code, I followed the following procedure.

1. Cleared all browser cookies
2. Visited the Login JSP page
3. Used the Web Developer Toolbar to view my initial JSESSIONID
4. Logged into the application successfully
5. Used the Web Developer Toolbar to view my final JSESSIONID

The initial JSESSIONID value was:
AA4996C5E24BB8221BB27B23EA599F34

The final JSESSIONID value was:
325ED18851B93EBA542D2AE7926E7F8E

Based on these tests this solution appears to work successfully.

In case anyone is curious, here are a couple other ideas I toyed with:




/* Try # 1:


this.request.getSession().invalidate();


this.request.getSession(true);


*/





/* Try #2:


HTTPUtilities esapiHTTPUtilities = ESAPI.httpUtilities();


esapiHTTPUtilities.setCurrentHTTP(request, response);


try {


esapiHTTPUtilities.changeSessionIdentifier();


}


catch(Exception e) {


e.printStackTrace();


}


*/





/* Try #3:


((SessionMap)ActionContext.getContext().getSession()).invalidate();


*/

Posted by Nick Coblentz 

 

 

 

[Ph4nt0m] <http://www.ph4nt0m.org/>  

[Ph4nt0m Security Team]

                   <http://blog.ph4nt0m.org/> [EMAIL PROTECTED]

          Email:  [EMAIL PROTECTED]

          PingMe:
<http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wu
hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724> 

          === V3ry G00d, V3ry Str0ng ===

          === Ultim4te H4cking ===

          === XPLOITZ ! ===

          === #_# ===

#If you brave,there is nothing you cannot achieve.#

 

 


--~--~---------~--~----~------------~-------~--~----~
 要向邮件组发送邮件,请发到 [email protected]
 要退订此邮件,请发邮件至 [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---

<<inline: image001.gif>>

回复