The attack scenario with this vulnerability is that a user can open a browser on a shared terminal and record the session identifier set by the application. Later when any other user of the system logs into the application without closing instances of that browser the same cookie will be used to track the victim's session.
Alternatively, if the application is susceptible to cross-site scripting on a publicly accessible page (most damagingly the home page), an attacker can use this vulnerability to learn the value of the session identifier, because the cookie does not change since it was first set. The attacker now knows the value of the session token can hijack the victim's session. This is a limited session fixation attack where the attacker does not have control over the value of the session identifier, but is able to know its value through various means before and after a user authenticates.
Most times, invalidating the session and creating a new one may suffice. However, if you are storing variables or objects, you may need to carry these variables or objects from the old session into the new session.
Below is a javax.servlet.Filter. This filter protects against the Session Fixation attacks described above. The filter looks for a specific session attribute, the (NEW_SESSION_INDICATOR) attribute. If one is found, the filter copies out relevant session data to a map, invalidates the session, creates a new session and loads the new session with the old session data.
The filter is simply mapped in your web.xml. Any place you successfully authenticate, an attribute is added to the session (NEW_SESSION_INDICATOR).
The code below follows:
import java.io.IOException;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.logging.Logger;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
public class NewSessionFilter implements Filter {
private static Logger logger = Logger.getLogger(NewSessionFilter.class.getName());
public static final String NEW_SESSION_INDICATOR = "filter.NewSessionFilter";
public void destroy() {}
@SuppressWarnings("unchecked")
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
if (request instanceof HttpServletRequest){
HttpServletRequest httpRequest = (HttpServletRequest) request;
if (httpRequest.getSession(false) != null &&
httpRequest.getSession(false).getAttribute(NEW_SESSION_INDICATOR) != null
){
//copy session attributes from new session to a map.
HttpSession session = httpRequest.getSession();
HashMap old = new HashMap();
Enumeration keys = (Enumeration) session.getAttributeNames();
while (keys.hasMoreElements()) {
String key = keys.nextElement();
if (!NEW_SESSION_INDICATOR.equals(key)) {
old.put(key, session.getAttribute(key));
session.removeAttribute(key);
}
}
logger.info("session invalidated on " + httpRequest.getRequestURI());
//invalidation session and create new session.
session.invalidate();
session = httpRequest.getSession(true);
//copy key value pairs from map to new session.
for (Map.Entry entry : old.entrySet()) {
session.setAttribute(entry.getKey(), entry.getValue());
}
logger.info((new StringBuffer()).append("new Session for URI '")
.append(httpRequest.getRequestURI()).append("':")
.append( session.getId()).toString());
}
}
chain.doFilter(request, response);
}
public void init(FilterConfig filterconfig) {}
}
Any questions about this posting or filter, comment below and I'll be sure to answer.
Hi,
ReplyDeleteWhere do we place this class file & what entry do we do in web.xml?
pls add NEW_SESSION_INDICATOR configuration details as well.
ReplyDeleteThanks mr...
ReplyDeleteSippp thanks mr
ReplyDeleteplease give the details.....
DeleteWhere do we place this class file & what entry do we do in web.xml? please let me know its urget
ReplyDeleteMost helpful packers and mvoers website for home shifting:
ReplyDeleteNoida packers and movers
Delhi packers and movers
Gurgaon packers and movers
Faridabad packers and movers
Ghaziabad packers and movers
Teachers day Sms
ReplyDeleteTeachers day Images
Teachers day Speech in Hindi
ReplyDeleteKabaddi World Cup 2016 live
ISL 2016 results
Dasara Wishes 2016
Bigg Boss 10 Live Stream
Happy Diwali Images
Halloween Costumes Ideas
Happy Columbus Day
ISL Opening Ceremony 2016 Live
this is what i looking for..thanks
ReplyDeleteYour blog posts are more interesting and impressive. I think there are many people like and visit it regularly, including me.I actually appreciate your own position and I will be sure to come back here.
ReplyDeletetemple run 2 l download temple run 2 l temple run 2 game l temple run 2 download l temple run 2 app
10th Date sheet
ReplyDelete12th Date sheet
Thanks for sharing this quality information with us. I really enjoyed reading.
ReplyDeletehttp://word-cookies-answers.com
hindi short films
ReplyDeleteNice article. Thank u so much for sharing with us.
ReplyDeleteCGBSE 12th Time Table 2018
Sportsbook Asian Handicap: sbobet maxbet m8bet
ReplyDeletethe best services about www.unitedcheckcashing.com within a short period. In USA you may find us everywhere, every city and 24/7. We actually love to oblige you the best things with 100% agreements and faster ever.
ReplyDeletecheck cashing
AP 2018 Class 10th Time Table
ReplyDelete10th Board Time Table 2018 AP
Class 10th Time Table 2018 AP
AP 2018 Class 10th Time Table
Andhra Pradesh 10th Board Time Table 2018
Andhra Pradesh Class 10th Time Table 2018
Andhra Pradesh Time Table Class 10th
Date Sheet Of AP Board 2018
SSC Date Sheet Of AP Board 2018
AP SCC Time Table 2018
Andhra Pradesh SSC Date Sheet Class 10th 2018
AP SSC Date Sheet Class 10th 2018
AP SSC Date Sheet Class 10th Board 2018
AP SSC Class 10th Board Time Table 2018
Assam Board HSLC Date Sheet 2018
SEBA HSLC Date Sheet 2018
Assam Board 10th Routine 2018
HSLC Date Sheet
How to download Assam Board Date Sheet 2018
Bihar Board 10th Date Sheet 2018a
Bihar Board 10th Class Exam Time Table 2018
Bihar 10th Exam Programme
Bihar Board 10th Class Date Sheet 2018
Bihar Board Matric Time Table 2018
Bihar Matriculation Exam Scheme 2018
BSEB Matric Exam Schedule 2018
Bihar Board
Bihar Board 10th Exam Schedule 2018
Bihar Board Matric Exam Routine 2018
Bihar Board Matric Time Table
OPSC has announced a government job recruitment for 2173 posts. opsc 2173 medical officer posts job,
ReplyDeleted 2018 recruitment
ReplyDeleteWow!! this is a very helpful article.
Thank you for sharing this.
well well nice nice.
ReplyDeletemaxbet
แทงบอลออนไลน์
แทงบอล sbobet
Great articles are interesting and informative.
ReplyDeleteทางเข้า maxbet
m8bet
m8bet
Thanks for posting this very useful.
ReplyDeletesbobet mobile
แทงบอลออนไลน์
maxbet
I was very impressed by this post, this
ReplyDeleteสมัคร maxbet
บาคาร่า
บาคาร่าออนไลน์
Thank You.
ReplyDeleteทางเข้า maxbet
m8bet
สมัคร sbobet
Great articles are interesting and informative.
ReplyDeleteแทงบอล sbobet
แทงบอลออนไลน์
เว็บแทงบอล
Thanks for posting this very useful.
ReplyDeletegoldenslot
We have devised solutions for MS Paint related errors and bugs. If you are not able to fix these problems, do not worry we are here to make things easier and smoother for you. MS Paint Customer Service
ReplyDeleteNice post. Thank u so much for sharing with us.
ReplyDeleteKerala HSE +2 Date Sheet 2018 PDF Download
Bring in a present service bill to demonstrate your habitation. In many cases a permit won't have the most current address. Since service bills are paid every month, you should give the latest one.
ReplyDeleteCheck Cashing
Cash Advance Chicago
Auto Title Loans Chicago
click here
ReplyDeleteknow more
home page
can my pc run it
system requirements
The levels of obligation have been ascending as the measure of cash found in bank accounts has been contracting. Could the ascent in online loan credit applications be an impact of individual funds spiraling descending? personal cash advance san diego
ReplyDeleteAll Brokers in any case, endeavor to be the most minimal generally speaking expense of the tickets available. In this way, they consistently look into their opposition and alter appropriately. Boston red sox tickets
ReplyDeletevery nice post thankyou for sharing.
ReplyDeleteSobha Royal Pavilion Sarjapur Road
รับสร้างบ้าน อุดร
ReplyDeletewww.modern-de.com
นอนไม่หลับ
นอนไม่หลับ