X

Technology insights, news and tips.

  • Sun
    June 11, 2010

Change Session Id on Authentication in GlassFish

Session fixation attack is a security vulnerabiltiy where
the victim is tricked to login using the session given by
a hacker, then the hacker can use the session after that.

Prior to GlassFish v3, one can mininize the exposure of
session id in url encoding by specifying a session-properties
in WEB-INF/sun-web.xml:


<sun-web-app>

  <session-config>

    <session-properties>

      <property name="enableURLRewriting" value="false" />

    </session-properties>

  </session-config>

</sun-web-app>

In GlassFish v3,
with the support of Servlet 3.0, one
can also achieve above by specifying the tracking-mode in WEB-INF/web.xml:


<web-app ...>

  ...

  <session-config>

    <tracking-mode>COOKIE</tracking-mode>

  </session-config>

</web-app>

Note that the default tracking-mode in GlassFish v3 is COOKIE and URL.

In GlassFish 3.0.1 and GlassFish 3.1, a security feature is ported from Tomcat.
One can configure a web application so that the session id will be changed after
authentication. This mininizes the session fixation attack.
One can achieve this by configuring META-INF/context.xml in war file. For instance,


<?xml version="1.0" encoding="ISO-8859-1"?>

<Context>

  <Valve className="org.apache.catalina.authenticator.FormAuthenticator"
changeSessionIdOnAuthentication="true"/>


</Context>

The above example used form based login. If BASIC is used, then the className should be
org.apache.catalina.authenticator.BaseAuthenticator.

Join the discussion

Comments ( 1 )
  • Shing Wai Chan Tuesday, February 1, 2011

    In 3.1, this feature is turned on by default.


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.