JSP Session Security !

Dear Friends,

I would like to ask the JSP Session Security.

I using the Session to manage the User Infomation after User Login.
There are 3 files. loginform.jsp > checkdata.jsp > userpage.jsp

1. loginform.jsp
<HTML>
<BODY>
<FORM METHOD=POST ACTION="checkdata.jsp">
What's your name? <INPUT TYPE=TEXT NAME=username SIZE=20>
What's your name? <INPUT TYPE=password NAME=password SIZE=20>
<P><INPUT TYPE=SUBMIT>
</FORM>
</BODY>
</HTML>

2. checkdata.jsp
//do for check database is user ok .......... then put the user information to session.
<%
   String name = request.getParameter( "username" );
   session.setAttribute( "theName", name );
%>
<HTML>
<BODY>
<A HREF="userpage.jsp">Login Sucess , Please click to use your service</A>
</BODY>
</HTML>

3. userpage.jsp
<HTML>
<BODY>
Hello, <%= session.getId() %><%= session.getAttribute("theName") %>
</BODY>
</HTML>

That is ok for user A login, no problem.

****** But I can use another computer from another place to use the link can also access the user A's userpage.jsp by no need password
http://www.abcdomainex.com/userpage.jsp;jsessionid=F81678782CF7A8892EC1A4353C07D6F3

It is not Security by using session to hold User information, What can i do.?
samneedAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

petmagdyCommented:
And how the other computer will get the session ID?

jsessionid=F81678782CF7A8892EC1A4353C07D6F3
0
petmagdyCommented:
I also want to add that this is called URL rewriting, for the client browers that have cookies disabled to be able to support sessions

If u don't want this feature (URL rewriting) please refer to ur application server to see if u can disable it, but if u disabled it users with disables cookies browers will not be able to access ur Web application
0
samneedAuthor Commented:
Hi petmagdy,

jsessionid=F81678782CF7A8892EC1A4353C07D6F3 maybe someone using programming always to check which jsessionid is valid ^O^


I am using Tomcat 5.0.28 standalone.

Thanks.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

petmagdyCommented:
Programmer can do any thing if he has access to tomcat File System and administration, in order for the programmer to eve drop over sessions he must be allowed to put his code on the server, this should be never allowed on production for non autherized

to make sure that session is depending on cookies u must set cookies to true as in this URL:

http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/defaultcontext.html

but their is no way to disable URL rewritting
0
samneedAuthor Commented:

If no way to disable URL rewritting.

I would like to ask any method to protect this , how another web server like bank web site to hold User Information after they login?

0
petmagdyCommented:
samneed you are assuming a problem that dosn't exists because of the following:

1- jsessionid=F81678782CF7A8892EC1A4353C07D6F3 is the session id but encrypted, and actually the cookie stores the same value and u can get it too if u browse ur browser cookies so if their is a problem it is in the cookie too!! Because u r as a human user u logged in and then saw this jsessionid value u was able to get what u want

2- to hack using code u need to get the real session id not the encrypted one u see in the URL rewrite

3- If some one can monitor the HTTP traffic (and this is possible) he will get the password u supply in ur form tooo!!

and why u can't do this for a Bank application because of the following:

1- U can't access the Bank application server
2- The bank network and application server is protected by security firwalls
3- The Bank application will use SSL to encrypt the HTTP traffic (it becomes HTTPS), even if u spyed on the HTTP traffic u will get nothing but encrypted rubish

don't worry use sessions as it is if u will develop a banking application :)


0
samneedAuthor Commented:
Thanks petmagdy!

1. jsessionid=F81678782CF7A8892EC1A4353C07D6F3 is possible to get the session information. it is exist ^O^

2. what is "real session id" and "encrypted one" URL rewrite?

3. I don't konw SSL enough, is https://www.abcdomainex.com/userpage.jsp;jsessionid=F81678782CF7A8892EC1A4353C07D6F3 is can't access from another computer?
0
petmagdyCommented:
Sameed u need to understand something first, Internet security is about protecting ur private information from somebody else to get it but not to protect ur private information from u!! So it protects some bady else from seeing ur password and same goes about the jsessionid value but you only knows ur password and u only knows the jsessionid

1- Because u urself logged in to ur application u saw jsessionid=F81678782CF7A8892EC1A4353C07D6F3 and in the same way u can browse ur cookiers to get this value too

2- the real session id is the one returned by HttpSession.getId() the encrypted is jsessionid=F81678782CF7A8892EC1A4353C07D6F3

3- The objective Of SSL is to encrypt the communication between u on ur browser and the Web Server, so no body expect u can get the jsessionid

So as an answer for ur question u and only u who can go to another computer and access:
https://www.abcdomainex.com/userpage.jsp;jsessionid=F81678782CF7A8892EC1A4353C07D6F3 


4- the Session expires after a configurable period u specify in the web.xml, after this period the jsessionid become invalid

I hope I answered u :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
samneedAuthor Commented:
Many Thanks Petmagdy ^O^ !
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JSP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.