Marvellous, thanks for the input folks. So, in a nutshell, what we're
basically saying is that when using Wicket we recommend HTTPS and disabling URL
rewrite (we are using weblogic and I presumed one of the other settings should
have disabled URL rewrite, the fool I am, cookie-secure seemed to do nothing!).
It's still possible to steal the session, but I've just got to rely on the
users not doing anything too silly now!
The only other thing I thought may have been a problem is that as I'm using
wicket-auth-roles it doesn't use the standard jee authentication, which I
presume is where weblogic gets involved and sets its own secure-cookie. Oh
well, at least now we should be able to prevent people emailing each other
their sessions!
Thanks again.
Andy
> From: grim_toas...@hotmail.com
> To: users@wicket.apache.org
> Subject: Session stealing with wicket-auth-roles
> Date: Wed, 2 Dec 2009 09:24:13 +0000
>
>
>
> Good morning all,
>
> I'm hoping I've misconfigured something in my application, but we seem to be
> prone to session stealing in our wicket application. We're using
> wicket-auth-roles to provide the security, and if you are able to access the
> jsessionid you can get another machine to log straight into the application
> as the intercepted user. We're using HTTPS for the communication, so
> hopefully the likelihood of this occurring is quite small, but we are still
> being forced to contemplate rewriting the security layer (which I want to
> avoid if possible).
>
> So, my question, have I misconfigured something, or is it just not possible
> to prevent this sort of attack when using wicket-auth-roles?
>
> I've managed to create a completely stripped-down app that still has the
> problem, below is the AuthenticatedWhenSession implementation.
>
> public class HelloWorldWebSession extends AuthenticatedWebSession {
> public HelloWorldWebSession(Request request) { super(request); }
> public boolean authenticate(String username, String password) { return
> "helloUser".equals(username) && "password".equals(password); }
> public Roles getRoles() { return isSignedIn() ? new Roles(Roles.USER) :
> null; }
> }
>
> And the simple page:
>
> @AuthorizeInstantiation("USER")
> public class HelloWorldHomePage extends WebPage { }
>
> And the application:
>
> public class HelloWorldApplication extends AuthenticatedWebApplication {
> protected void init() {
> super.init();
> mountBookmarkablePage("home", HelloWorldHomePage.class);
> mountBookmarkablePage("signin", SignInPage.class);
> }
>
> protected Class<? extends WebPage> getSignInPageClass() { return
> SignInPage.class; }
> protected Class<? extends AuthenticatedWebSession> getWebSessionClass() {
> return HelloWorldWebSession.class; }
> public Class<? extends Page> getHomePage() { return
> HelloWorldHomePage.class; }
> }
>
> The URL below, once logged in on one machine, could then be used on multiple
> machines to bypass the security layer.
>
> http://localhost:9090/HelloWorld/home;jsessionid=<SESSION_ID_TAKEN_FROM_URL/COOKIE>
>
> Many Thanks
> Andy
>
>
> _________________________________________________________________
> Add your Gmail and Yahoo! Mail email accounts into Hotmail - it's easy
> http://clk.atdmt.com/UKM/go/186394592/direct/01/
_________________________________________________________________
Got more than one Hotmail account? Save time by linking them together
http://clk.atdmt.com/UKM/go/186394591/direct/01/
