Insecure session management - Java

Insecure session management - Java

Need

Secure session management

Context

  • Usage of Java for building cross-platform applications
  • Usage of javax.servlet for building Java web applications with servlets
  • Usage of java.io for input and output operations in Java

Description

Non compliant code

        import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;

public class SessionServlet extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        HttpSession session = request.getSession(true);
        String username = request.getParameter("username");
        session.setAttribute("username", username);
    }

}
        
        

The above code demonstrates a servlet that creates a new session or uses an existing one when a GET request is made. The session attribute "username" is set according to the "username" parameter from the request.

The vulnerability here is that the session token does not expire even when the user terminates the session. This is because the servlet does not have any mechanism to invalidate or expire the session token when the user's session ends.

This can lead to potential security risks. For example, if an attacker is able to capture a user's session token, they can use it to impersonate the user and make requests on their behalf, even after the user has ended their session.

In order to fix this vulnerability, we should add a mechanism to invalidate the session when the user logs out or after a certain period of inactivity.

Steps

  • Implement session timeout
  • Regenerate session token on login
  • Invalidate session on logout
  • Use secure flag for session cookies
  • Use HttpOnly flag for session cookies
  • Encrypt session data

Compliant code

        import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;

public class SessionServlet extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        HttpSession session = request.getSession(true);
        String username = request.getParameter("username");
        session.setAttribute("username", username);
        session.setMaxInactiveInterval(30*60); // Session timeout after 30 minutes
    }

    public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        HttpSession session = request.getSession(false);
        if (session != null) {
            session.invalidate(); // Invalidate session on logout
        }
    }

    public void doLogin(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        HttpSession session = request.getSession(false);
        if (session != null) {
            session.invalidate(); // Invalidate old session
        }
        session = request.getSession(true); // Create new session
        String username = request.getParameter("username");
        session.setAttribute("username", username);
        session.setMaxInactiveInterval(30*60); // Session timeout after 30 minutes
    }
}
        
        

The updated code now includes a session timeout, session invalidation on logout, and session regeneration on login.

- setMaxInactiveInterval(30*60): This sets the session to timeout after 30 minutes of inactivity. This means if the user does not make any request within 30 minutes, the session will be invalidated automatically.

- session.invalidate(): This method invalidates the current session and unbinds any objects associated with it. This is used when the user logs out to ensure that the session cannot be used after logout.

- In the doLogin method, before creating a new session, any existing session is invalidated. This ensures that a new session is created every time a user logs in, preventing session fixation attacks.

Please note that this code does not include the use of secure and HttpOnly flags for session cookies, and encryption of session data. These features need to be implemented at the server configuration level or using specific libraries depending on your technology stack.

References