Friday Jun 11, 2010

Change Session Id on Authentication in GlassFish

Session fixation attack is a security vulnerabiltiy where the victim is tricked to login using the session given by a hacker, then the hacker can use the session after that.

Prior to GlassFish v3, one can mininize the exposure of session id in url encoding by specifying a session-properties in WEB-INF/sun-web.xml:

<sun-web-app>
  <session-config>
    <session-properties>
      <property name="enableURLRewriting" value="false" />
    </session-properties>
  </session-config>
</sun-web-app>

In GlassFish v3, with the support of Servlet 3.0, one can also achieve above by specifying the tracking-mode in WEB-INF/web.xml:

<web-app ...>
  ...
  <session-config>
    <tracking-mode>COOKIE</tracking-mode>
  </session-config>
</web-app>

Note that the default tracking-mode in GlassFish v3 is COOKIE and URL.

In GlassFish 3.0.1 and GlassFish 3.1, a security feature is ported from Tomcat. One can configure a web application so that the session id will be changed after authentication. This mininizes the session fixation attack. One can achieve this by configuring META-INF/context.xml in war file. For instance,

<?xml version="1.0" encoding="ISO-8859-1"?>
<Context>
  <Valve className="org.apache.catalina.authenticator.FormAuthenticator" changeSessionIdOnAuthentication="true"/>
</Context>

The above example used form based login. If BASIC is used, then the className should be org.apache.catalina.authenticator.BaseAuthenticator.

About

Shing Wai Chan

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today