调用无效后重新使用会话 ID
我继承了一个非常古老的 JSP 应用程序 (JDK 1.3.1_15),并试图堵塞会话固定漏洞。
使用 HttpSession.invalidate() 进行身份验证后,我成功使当前会话无效,但是创建新会话时,会重新使用旧会话 ID。
<%
// login.jsp
if (authenticated) {
request.getSession().invalidate();
// create new session and store data
HttpSession session = request.getSession();
session.putValue(...);
// etc
response.sendRedirect("logged-in.jsp");
return;
}
%>
我可以在 HTTP 监视器中看到新的会话分配,它只是再次使用相同的编号。
-- Initial request response --
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=6a303082951311647336934;path=/
-- login.jsp request response --
HTTP/1.1 302 Moved Temporarily
Location: http://example.com/logged-in.jsp
Set-Cookie: JSESSIONID=6a303082951311647336934;path=/
在我使用 session.invalidate() 之前,第二个 Set-Cookie 响应标头根本不存在。
有人对如何生成新的会话 ID 有任何建议吗?我对 JRUN4 不太熟悉,但翻遍配置文档并没有发现任何东西。
I've inherited a pretty ancient JSP application (JDK 1.3.1_15) and am attempting to plug a session fixation hole.
I'm successfully invalidating the current session after authentication using HttpSession.invalidate() however when the new session is created, the old session ID is re-used.
<%
// login.jsp
if (authenticated) {
request.getSession().invalidate();
// create new session and store data
HttpSession session = request.getSession();
session.putValue(...);
// etc
response.sendRedirect("logged-in.jsp");
return;
}
%>
I can see the new session assignment in my HTTP monitor, it's just using the same number again.
-- Initial request response --
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=6a303082951311647336934;path=/
-- login.jsp request response --
HTTP/1.1 302 Moved Temporarily
Location: http://example.com/logged-in.jsp
Set-Cookie: JSESSIONID=6a303082951311647336934;path=/
Prior to me using session.invalidate() the second Set-Cookie response header was not present at all.
Does anybody have any advice on how to generate a new session ID? I'm not very familiar with JRUN4 but trawling through the configuration documentation hasn't turned up anything.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
要解决此问题,您可以使用第二个非持久 cookie 来充当您可以控制其值的会话 ID。这个想法是生成一个唯一的 id 并将其存储在 cookie 和会话中。使用此 cookie 实现与您尝试通过使用 invalidate 对会话执行的相同逻辑。具体来说,在身份验证成功之前,不要发出未来请求将接受的实际标识符。然后创建一个 Servlet 过滤器来检查每个请求并将这个新 cookie 的值与会话中存储的值进行匹配。如果它们不匹配,则表示正在发生邪恶的事情。我知道这比仅仅依靠
session.invalidate()来发出新的 id 更麻烦一些。但考虑到您的约束和 JRun 的行为,这将为防止会话固定提供足够的保护。To work around this, you can use a second non-persistent cookie to act as a session id that you can control the value of. The idea is to generate a unique id and store it in both the cookie and the session. Implement the same logic with this cookie that you are attempting to do with the session through using invalidate. Specifically, don't issue the actual identifier that will be accepted for future requests until authentication is successful. Then create a Servlet Filter that checks each request and matches the value of this new cookie to the value stored in the session. If they don't match, something nefarious is going on. I know it is a bit more cumbersome than just relying on
session.invalidate()to issue a new id. But given your constraints and JRun's behavior, this will provide sufficient protection against session fixation.来自 Java Servlet 3.0 规范,你可以看到:
这是一个非常糟糕的想法,但我想知道 JSESSIONID cookie 是否只是被重复使用,并且实际的会话上下文被破坏了。您仍然可以访问失效会话的状态(即属性)吗?
From Section 7.3 of the Java Servlet 3.0 specification, you can see that:
It's a really terrible idea, but I wonder if the JSESSIONID cookie is simply re-used and the actual session context destroyed. Can you still acess state (i.e. attributes) of the invalidated session?