Session Fixation - Java

Session Fixation - Java

Need

Prevention of session hijacking

Context

  • Usage of Java 8 for developing applications with enhanced features and performance
  • Usage of javax.servlet.http.Cookie for handling HTTP cookies in Java Servlet applications
  • Usage of javax.servlet.http.HttpServletRequest for handling HTTP requests in Java Servlets
  • Usage of HttpServletResponse for handling HTTP responses in Java Servlets
  • Usage of javax.servlet.http.HttpSession for managing user sessions in Java web applications
  • Usage of javax.servlet.ServletException for handling servlet exceptions
  • Usage of java.io.IOException for handling input/output errors in Java

Description

Non compliant code

        import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class LoginServlet extends HttpServlet {

    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String username = request.getParameter("username");
        String password = request.getParameter("password");

        // Validate username and password
        if (isValidUser(username, password)) {
            HttpSession session = request.getSession(true);
            session.setAttribute("username", username);

            Cookie cookie = new Cookie("JSESSIONID", session.getId());
            response.addCookie(cookie);
            response.sendRedirect("/home");
        } else {
            response.sendRedirect("/login");
        }
    }

    private boolean isValidUser(String username, String password) {
        // Validation logic
        return true;
    }
}
        
        

The above code snippet is a simple example of a login servlet in a Java web application using the javax.servlet package. In this code, when a user tries to log in, their username and password are checked. If they are valid, a new session is created and the username is stored in the session attributes.

The vulnerability lies in the session management part of the code. After a successful login, the session ID is not changed. The same session ID is used before and after authentication. This is a classic example of a Session Fixation vulnerability.

An attacker can exploit this vulnerability by obtaining a valid session ID (for example, by using the application themselves), and then convincing a victim to use this session ID. Once the victim logs in, the attacker can use the same session ID to access the application as the victim.

This is a serious security vulnerability as it can lead to unauthorized access to the application, potentially leading to data theft, data alteration, or other malicious activities.

Steps

  • Generate a new session ID after a successful login
  • Invalidate the old session ID and create a new session
  • Regenerate the session ID when the user's privilege level changes
  • Use secure and HttpOnly flags for session cookies
  • Implement strong session management practices

Compliant code

        import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class LoginServlet extends HttpServlet {

    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String username = request.getParameter("username");
        String password = request.getParameter("password");

        // Validate username and password
        if (isValidUser(username, password)) {
            HttpSession oldSession = request.getSession(false);
            if (oldSession != null) {
                oldSession.invalidate();
            }
            HttpSession newSession = request.getSession(true);
            newSession.setMaxInactiveInterval(5*60); // Set session timeout to 5 minutes

            newSession.setAttribute("username", username);

            Cookie cookie = new Cookie("JSESSIONID", newSession.getId());
            cookie.setSecure(true); // Set secure flag
            cookie.setHttpOnly(true); // Set HttpOnly flag
            response.addCookie(cookie);
            response.sendRedirect("/home");
        } else {
            response.sendRedirect("/login");
        }
    }

    private boolean isValidUser(String username, String password) {
        // Validation logic
        return true;
    }
}
        
        

The fixed code now includes a process to invalidate the old session and create a new one after a successful login. This is done to prevent session fixation attacks where an attacker could use a known session ID to hijack a user's session.

The new session ID is then used to create a new cookie which is added to the response. The cookie is marked with the Secure flag, ensuring it is only sent over HTTPS, and the HttpOnly flag, preventing it from being accessed through client-side scripts. This helps to mitigate the risk of session hijacking through man-in-the-middle or cross-site scripting attacks.

The session timeout is also set to 5 minutes with setMaxInactiveInterval(). This means the session will automatically expire if there is no activity within this time period, reducing the window of opportunity for an attacker to hijack the session.

The isValidUser() function is used to validate the username and password. This is a placeholder and should be replaced with actual validation logic.

References