Concurrent sessions - Java

Concurrent sessions - Java

Need

Enforcement of session limits and notification of concurrent sessions

Context

  • Usage of Java 8 for developing applications with enhanced features and performance
  • Usage of javax.servlet-api for Java Servlet development

Description

Non compliant code

        import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class SessionController {

    public void login(HttpServletRequest request, HttpServletResponse response) {
        String username = request.getParameter("username");
        String password = request.getParameter("password");

        if (authenticate(username, password)) {
            HttpSession session = request.getSession();
            session.setAttribute("username", username);
        }
    }

    private boolean authenticate(String username, String password) {
        // Authentication logic here
        return true;
    }
}
        
        

This code is vulnerable to concurrent sessions. The login method in SessionController class handles user login. It retrieves the username and password from the HTTP request and if the authentication is successful, it creates a new session for the user and stores the username in the session.

The vulnerability lies in the fact that the application does not limit the number of active sessions a user can have. This means a user can login multiple times concurrently from different locations. This can lead to potential security risks as it could allow an attacker to impersonate a user by using his/her active session.

Furthermore, there is no mechanism to notify the user when a new session is initiated. A user would not know if an attacker has initiated a session using his/her credentials from a different location.

To fix this vulnerability, the application should limit the number of active sessions a user can have and notify the user when a new session is initiated.

Steps

  • Implement session management to track the number of active sessions per user.
  • When a user logs in, check if they already have an active session and handle accordingly.
  • Notify the user when a session has already been initiated from a different location.
  • Consider implementing session timeout to automatically invalidate inactive sessions.
  • Implement proper authentication logic to ensure only valid users can login.

Compliant code

        import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;

public class SessionController {

    private Map activeSessions = new HashMap<>();

    public void login(HttpServletRequest request, HttpServletResponse response) throws IOException {
        String username = request.getParameter("username");
        String password = request.getParameter("password");

        if (authenticate(username, password)) {
            HttpSession existingSession = activeSessions.get(username);
            if (existingSession != null) {
                existingSession.invalidate();
                response.getWriter().println("A session has already been initiated from a different location. That session has been invalidated.");
            }

            HttpSession newSession = request.getSession();
            newSession.setAttribute("username", username);
            activeSessions.put(username, newSession);
        }
    }

    private boolean authenticate(String username, String password) {
        // Authentication logic here
        return true;
    }
}
        
        

The fixed code introduces a Map called activeSessions to track the active sessions for each user. When a user logs in, the code checks if there is an existing session for that user in the activeSessions map. If there is, it invalidates that session and notifies the user that a session has already been initiated from a different location and that session has been invalidated.

The new session is then created and stored in the activeSessions map, replacing the previous session if it existed. This ensures that each user can only have one active session at a time.

The authenticate method is a placeholder for the actual authentication logic, which should verify the username and password against a user database or other authentication mechanism. This is important to ensure that only valid users can log in.

Please note that this code does not implement session timeout. Depending on the requirements of your application, you may want to add logic to automatically invalidate sessions after a certain period of inactivity. This can be done using the setMaxInactiveInterval method on the HttpSession object.

References