Alec: yes, that's correct by my understanding. By the way, I don't think Hielke's description of an accidentally copy-and-pasted URL is a session attack per se. I'm not sure there's an easy/standard way to protect such a user from himself. :) What Session#replaceSession() guards against is an attacker initiating a session, then luring someone into authenticating the session while retaining access to the (now authenticated) session.
On Mon, Mar 12, 2012 at 11:04 AM, Alec Swan <[email protected]> wrote: > So, is this the recommended way to authenticate a user? > > // verify user password and store user id in the session > if (user.getPasswordHash().equals(password)) { > final MyWebSession webSession = MyWebSession.get(); > webSession.setUserName(user.getUserName()); > webSession.replaceSession(); > } > > Thanks, > > Alec > > On Mon, Mar 12, 2012 at 10:48 AM, Dan Retzlaff <[email protected]> > wrote: > > Yes, I agree. Thanks for clarifying. :) > > > > On Mon, Mar 12, 2012 at 7:40 AM, Hielke Hoeve <[email protected] > >wrote: > > > >> Dan, > >> > >> JSESSIONIDs are not inherently secure. Users can be so dumb as to > >> copy/paste an url with an JSESSIONID as query parameter and send it to > >> someone else via email/msn/etc. When that other person clicks the url, > >> while the first person is logged in, he is logged in as well. > >> Webapplications should always invalidate the wicket session before > >> authenticating. (use Session.get().replaceSession() ) > >> > >> See also: http://www.owasp.org/index.php/Session_Fixation > >> > >> Hielke > >> > >> -----Original Message----- > >> From: Dan Retzlaff [mailto:[email protected]] > >> Sent: maandag 5 maart 2012 3:53 > >> To: [email protected] > >> Subject: Re: Wicket authentication: how to store user? > >> > >> Paolo, sessions are accessed with a JSESSIONID cookie or query parameter > >> supplied with each request. It's not possible for one user to guess > another > >> user's session ID, so the approach Martin describes is inherently > secure. > >> (Just be careful with your authentication code and form/query parameter > >> validation elsewhere in your app!) > >> > >> Dan > >> > >> On Sat, Mar 3, 2012 at 4:40 AM, Paolo <[email protected]> > wrote: > >> > >> > Alle sabato 03 marzo 2012, Martin Grigorov ha scritto: > >> > > Hi, > >> > > > >> > > Save the logged in user id in the Session. > >> > > > >> > > MySession.java: > >> > > > >> > > private long userId; > >> > > > >> > > public User getUser() { > >> > > return userService.getUserById(userId); } > >> > > > >> > > > >> > > AnyPage.java: > >> > > user = MySession.get().getUser(); > >> > > > >> > Thank you, for support and explanation code, very useful because I am > a > >> > newbie. > >> > Just one another answer: Is it secure? > >> > Can someone alter session data and change user data, so an hacher > could > >> > log with own account but operate with other accounts? > >> > Do I need some random code like this > "hdfds6yh6yhgtruifh4hf4frh9ruehfe" > >> to > >> > store temporanealy in session and database and associate it to a > specific > >> > user? > >> > > >> > > > I added registration and user/password sign-in and checking with > >> > database, instead of simple "wicket" as user and password. > >> > > > All works ok, but now I need in AdminPage to known which user is > >> > logged in. > >> > > >> > --------------------------------------------------------------------- > >> > To unsubscribe, e-mail: [email protected] > >> > For additional commands, e-mail: [email protected] > >> > > >> > > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] > >> For additional commands, e-mail: [email protected] > >> > >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
