Prevention of session hijacking
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class LoginServlet extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("username");
String password = request.getParameter("password");
// Validate username and password
if (isValidUser(username, password)) {
HttpSession session = request.getSession(true);
session.setAttribute("username", username);
Cookie cookie = new Cookie("JSESSIONID", session.getId());
response.addCookie(cookie);
response.sendRedirect("/home");
} else {
response.sendRedirect("/login");
}
}
private boolean isValidUser(String username, String password) {
// Validation logic
return true;
}
}
The above code snippet is a simple example of a login servlet in a Java web application using the
javax.servlet
package. In this code, when a user tries to log in, their username and password are checked. If they are valid, a new session is created and the username is stored in the session attributes.
The vulnerability lies in the session management part of the code. After a successful login, the session ID is not changed. The same session ID is used before and after authentication. This is a classic example of a Session Fixation vulnerability.
An attacker can exploit this vulnerability by obtaining a valid session ID (for example, by using the application themselves), and then convincing a victim to use this session ID. Once the victim logs in, the attacker can use the same session ID to access the application as the victim.
This is a serious security vulnerability as it can lead to unauthorized access to the application, potentially leading to data theft, data alteration, or other malicious activities.
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class LoginServlet extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("username");
String password = request.getParameter("password");
// Validate username and password
if (isValidUser(username, password)) {
HttpSession oldSession = request.getSession(false);
if (oldSession != null) {
oldSession.invalidate();
}
HttpSession newSession = request.getSession(true);
newSession.setMaxInactiveInterval(5*60); // Set session timeout to 5 minutes
newSession.setAttribute("username", username);
Cookie cookie = new Cookie("JSESSIONID", newSession.getId());
cookie.setSecure(true); // Set secure flag
cookie.setHttpOnly(true); // Set HttpOnly flag
response.addCookie(cookie);
response.sendRedirect("/home");
} else {
response.sendRedirect("/login");
}
}
private boolean isValidUser(String username, String password) {
// Validation logic
return true;
}
}
The fixed code now includes a process to invalidate the old session and create a new one after a successful login. This is done to prevent session fixation attacks where an attacker could use a known session ID to hijack a user's session.
The new session ID is then used to create a new cookie which is added to the response. The cookie is marked with the
Secure
flag, ensuring it is only sent over HTTPS, and the
HttpOnly
flag, preventing it from being accessed through client-side scripts. This helps to mitigate the risk of session hijacking through man-in-the-middle or cross-site scripting attacks.
The session timeout is also set to 5 minutes with
setMaxInactiveInterval()
. This means the session will automatically expire if there is no activity within this time period, reducing the window of opportunity for an attacker to hijack the session.
The
isValidUser()
function is used to validate the username and password. This is a placeholder and should be replaced with actual validation logic.