Session Fixation - Replacing JSESSIONID after login

Forum to discuss the Web client version of Servoy.

Session Fixation - Replacing JSESSIONID after login

Postby mark.finlay » Thu Mar 18, 2021 12:27 pm

Hi,

We have been investigating the possibility of replacing the JSESSIONID of the Web Client session after login.

The rationale for this is to mitigate a session fixation attack.

http://www.owasp.org/index.php/Session_Fixation

It seems that there is a nice wicket function that should do just that called "replaceSession()".

We have tried to use this in Servoy (8.1.2) by calling:

Packages.org.apache.wicket.Session.get().replaceSession();

This does change the JESSIONID but also then takes us to the solution browsing page.

Is there a way to change the JSESSIONID after login and if so, how can this be achieved?

Cheers,

Mark
User avatar
mark.finlay
 
Posts: 10
Joined: Thu Jun 14, 2012 12:07 pm

Re: Session Fixation - Replacing JSESSIONID after login

Postby sbutler » Fri Mar 19, 2021 6:37 am

This doesn't directly answer your question, but there are some alternatives. When a session is initiated, you could store the IP and Session in a temporary table. Or use a JS Fingerprint library to store a browser fingerprint hash with the session ID in the temporary table.
At session creation, check if the session exists in the table already. If so, if it's under a different ip and/or fingerprint hash, then you block the login session from being shown as that would mean the browser is attempting to load a session of a different user.
Scott Butler
iTech Professionals, Inc.
SAN Partner

Servoy Consulting & Development
Servoy University- Training Videos
Servoy Components- Plugins, Beans, and Web Components
Servoy Guy- Tips & Resources
ServoyForge- Open Source Components
User avatar
sbutler
Servoy Expert
 
Posts: 721
Joined: Sun Jan 08, 2006 7:15 am
Location: Cincinnati, OH

Re: Session Fixation - Replacing JSESSIONID after login

Postby mark.finlay » Thu Mar 25, 2021 11:14 am

Hi Scott,

Many thanks for responding to this.

I like your alternative suggestion. Particularly the browser fingerprint hash. That's neat.

If there is no possibility of being able to just change the JSESSIONID after login, then this approach could meet the requirement.

Can anyone confirm for sure whether changing the JSESSIONID after login is currently technically possible or not?

Thanks,

Mark
Servoy 5.2.13
Asset Guardian Solutions Ltd
User avatar
mark.finlay
 
Posts: 10
Joined: Thu Jun 14, 2012 12:07 pm


Return to Servoy Web Client

Who is online

Users browsing this forum: No registered users and 4 guests