Solved

JSP Session Security !

Posted on 2004-10-24
1,504 Views
Last Modified: 2012-06-27
Dear Friends,

I would like to ask the JSP Session Security.

I using the Session to manage the User Infomation after User Login.
There are 3 files. loginform.jsp > checkdata.jsp > userpage.jsp

1. loginform.jsp
<HTML>
<BODY>
<FORM METHOD=POST ACTION="checkdata.jsp">
What's your name? <INPUT TYPE=TEXT NAME=username SIZE=20>
What's your name? <INPUT TYPE=password NAME=password SIZE=20>
<P><INPUT TYPE=SUBMIT>
</FORM>
</BODY>
</HTML>

2. checkdata.jsp
//do for check database is user ok .......... then put the user information to session.
<%
   String name = request.getParameter( "username" );
   session.setAttribute( "theName", name );
%>
<HTML>
<BODY>
<A HREF="userpage.jsp">Login Sucess , Please click to use your service</A>
</BODY>
</HTML>

3. userpage.jsp
<HTML>
<BODY>
Hello, <%= session.getId() %><%= session.getAttribute("theName") %>
</BODY>
</HTML>

That is ok for user A login, no problem.

****** But I can use another computer from another place to use the link can also access the user A's userpage.jsp by no need password
http://www.abcdomainex.com/userpage.jsp;jsessionid=F81678782CF7A8892EC1A4353C07D6F3

It is not Security by using session to hold User information, What can i do.?
0
Question by:samneed
    9 Comments
     
    LVL 13

    Expert Comment

    by:petmagdy
    And how the other computer will get the session ID?

    jsessionid=F81678782CF7A8892EC1A4353C07D6F3
    0
     
    LVL 13

    Expert Comment

    by:petmagdy
    I also want to add that this is called URL rewriting, for the client browers that have cookies disabled to be able to support sessions

    If u don't want this feature (URL rewriting) please refer to ur application server to see if u can disable it, but if u disabled it users with disables cookies browers will not be able to access ur Web application
    0
     

    Author Comment

    by:samneed
    Hi petmagdy,

    jsessionid=F81678782CF7A8892EC1A4353C07D6F3 maybe someone using programming always to check which jsessionid is valid ^O^


    I am using Tomcat 5.0.28 standalone.

    Thanks.
    0
     
    LVL 13

    Expert Comment

    by:petmagdy
    Programmer can do any thing if he has access to tomcat File System and administration, in order for the programmer to eve drop over sessions he must be allowed to put his code on the server, this should be never allowed on production for non autherized

    to make sure that session is depending on cookies u must set cookies to true as in this URL:

    http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/defaultcontext.html

    but their is no way to disable URL rewritting
    0
     

    Author Comment

    by:samneed

    If no way to disable URL rewritting.

    I would like to ask any method to protect this , how another web server like bank web site to hold User Information after they login?

    0
     
    LVL 13

    Expert Comment

    by:petmagdy
    samneed you are assuming a problem that dosn't exists because of the following:

    1- jsessionid=F81678782CF7A8892EC1A4353C07D6F3 is the session id but encrypted, and actually the cookie stores the same value and u can get it too if u browse ur browser cookies so if their is a problem it is in the cookie too!! Because u r as a human user u logged in and then saw this jsessionid value u was able to get what u want

    2- to hack using code u need to get the real session id not the encrypted one u see in the URL rewrite

    3- If some one can monitor the HTTP traffic (and this is possible) he will get the password u supply in ur form tooo!!

    and why u can't do this for a Bank application because of the following:

    1- U can't access the Bank application server
    2- The bank network and application server is protected by security firwalls
    3- The Bank application will use SSL to encrypt the HTTP traffic (it becomes HTTPS), even if u spyed on the HTTP traffic u will get nothing but encrypted rubish

    don't worry use sessions as it is if u will develop a banking application :)


    0
     

    Author Comment

    by:samneed
    Thanks petmagdy!

    1. jsessionid=F81678782CF7A8892EC1A4353C07D6F3 is possible to get the session information. it is exist ^O^

    2. what is "real session id" and "encrypted one" URL rewrite?

    3. I don't konw SSL enough, is https://www.abcdomainex.com/userpage.jsp;jsessionid=F81678782CF7A8892EC1A4353C07D6F3 is can't access from another computer?
    0
     
    LVL 13

    Accepted Solution

    by:
    Sameed u need to understand something first, Internet security is about protecting ur private information from somebody else to get it but not to protect ur private information from u!! So it protects some bady else from seeing ur password and same goes about the jsessionid value but you only knows ur password and u only knows the jsessionid

    1- Because u urself logged in to ur application u saw jsessionid=F81678782CF7A8892EC1A4353C07D6F3 and in the same way u can browse ur cookiers to get this value too

    2- the real session id is the one returned by HttpSession.getId() the encrypted is jsessionid=F81678782CF7A8892EC1A4353C07D6F3

    3- The objective Of SSL is to encrypt the communication between u on ur browser and the Web Server, so no body expect u can get the jsessionid

    So as an answer for ur question u and only u who can go to another computer and access:
    https://www.abcdomainex.com/userpage.jsp;jsessionid=F81678782CF7A8892EC1A4353C07D6F3  


    4- the Session expires after a configurable period u specify in the web.xml, after this period the jsessionid become invalid

    I hope I answered u :)
    0
     

    Author Comment

    by:samneed
    Many Thanks Petmagdy ^O^ !
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
    Every business owner understands the significance of online customer reviews and the impact it can have on sales and revenues. With technology advancing at such a rapid pace, getting online reviews has never been easier, especially when many regions…
    This video Micro Tutorial is the first in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 (http://www.experts-exchange.com/articles/17490/). But the ability to create custom scanning profiles al…
    Want to pick and choose which updates you receive? Feel free to check out this quick video on how to manage your email notifications.

    856 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now