防止在复制JSESSIONID cookie时复制会话

战神

背景:我在tomcat上部署了一个Javaee Web应用程序,它使用基于表单的身份验证。Web服务器收到登录请求后,会将请求发送到专用的身份验证服务,该服务验证用户登录(用户ID和密码)。身份验证成功后,用户会话将保留在Web服务器中。

问题:在这里编写了一个简单的webpp源代码来模拟这种情况。成功登录后,当前HttpSession实例无效,并创建新实例。对于每个登录后登录页面的请求,都会验证会话。设置了一个新的JSESSIONIDcookie,用于在会话期间标识用户,直到会话过期或用户注销为止。可以在浏览器的开发工具中轻松查看此cookie。如果我复制cookie并通过JavaScript(document.cookie="JSESSIONID=xyzz"在其他浏览器中进行设置,然后尝试访问登录后页面,则服务器会将其标识为有效请求,并且会话已成功验证。无需用户输入用户ID和密码即可向帖子登录页面提供服务。

POC:用户打开浏览器和输入网址http://localhost:8080/mywebapp/与和日志adminpass1234成功登录后,将显示主页http://localhost:8080/mywebapp/home现在,将JSESSIONIDcookie复制并在FireFox中设置。用户输入http://localhost:8080/mywebapp/homeFirefox并显示在主页上,而无需输入userId和password。

问题:如何防止通过多个浏览器复制同一会话的情况?

在此处输入图片说明

BalusC

您不能阻止仅从您自己的浏览器复制cookie(或通过从Internet上某个无知者发布的HTTP有效负载复制粘贴/截图复制cookie值)来阻止这种特殊情况的情况。您最多可以防止Cookie被XSS或中间人攻击劫持。

This all is elaborated in Wikipedia page on the subject Session Hijacking of which I snipped away irrelevant parts (either already enforced by Servlet API, or are simply not applicable here).

Prevention

Methods to prevent session hijacking include:

  • Encryption of the data traffic passed between the parties by using SSL/TLS; in particular the session key (though ideally all traffic for the entire session[11]). This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack. In response, scientists from the Radboud University Nijmegen proposed in 2013 a way to prevent session hijacking by correlating the application session with the SSL/TLS credentials[12]
  • (snip, not relevant)
  • (snip, not relevant)
  • Some services make secondary checks against the identity of the user. For example, a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users whose IP address is liable to change during a browsing session.
  • Alternatively, some services will change the value of the cookie with each and every request. This dramatically reduces the window in which an attacker can operate and makes it easy to identify whether an attack has taken place, but can cause other technical problems (for example, two legitimate, closely timed requests from the same client can lead to a token check error on the server).
  • (snip, not relevant)

In other words:

  • Use HTTPS instead of HTTP to prevent man-in-middle attacks.
  • Add a checkbox "Lock my IP" to login form and reject requests from different IP associated with same session in a servlet filter. This only works on users who know themselves they have a fixed IP.
  • Change session cookie on every request. Interesting at first sight, but breaks when user has same website open in multiple browser tabs/windows in same "session".
  • Not mentioned, but make sure you don't have a XSS hole anywhere, else it's very easy stealing cookies.

Last but not least, I'd like to make clear that this problem is absolutely not specifically related to Servlet API and the JSESSIONID cookie. All other stateful server side languages/frameworks such as PHP (PHPSESSID) and ASP (ASPSESSIONID) also expose exactly the same security problem. The JSESSIONID was previously (decade ago orso) only a bit more in news because by default it was possible to pass the session identifier along in the URL (which was done to support HTTP session in clients who have cookies disabled). Trouble started when ignorant endusers copypasted the full URL with JSESSIONID inside to share links with others. Since Servlet 3.0 you can turn off JSESSIONID in URLs by enforcing a cookie-only policy.

<session-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

See also:

本文收集自互联网,转载请注明来源。

如有侵权,请联系[email protected] 删除。

编辑于
0

我来说两句

0条评论
登录后参与评论

相关文章

来自分类Dev

jboss集群会话复制不起作用(多个jsessionid cookie)

来自分类Dev

防止在返回时复制对象

来自分类Dev

春季安全性,JSESSIONID复制问题

来自分类Dev

相邻复制时,如何防止部分HTML文本被复制?

来自分类Dev

防止从硬盘复制

来自分类Dev

防止scp复制本地文件?

来自分类Dev

Worklight会话内存复制

来自分类Dev

PHP会话数组复制

来自分类Dev

如何从Chrome复制Cookie?

来自分类Dev

退出插入模式时,如何防止Vim复制文本?

来自分类Dev

复制文本时防止Word包含项目符号字母

来自分类Dev

如何防止vba在复制和粘贴时转换值类型?

来自分类Dev

Tomcat的群集/会话复制无法正确复制

来自分类Dev

使用 JSESSIONID cookie 的 servlet 中的会话处理未获取会话

来自分类Dev

防止grunt复制相同名称的文件

来自分类Dev

Python防止复制对象作为参考

来自分类Dev

使用std :: move以防止复制

来自分类Dev

复制特定类型的文件,但防止覆盖文件

来自分类Dev

如何防止递归复制文件和目录?

来自分类Dev

防止复制数据库文件

来自分类Dev

防止grunt复制相同名称的文件

来自分类Dev

防止不通过权限复制文件

来自分类Dev

防止从SQL查询复制,ASP.net

来自分类Dev

如何防止事务在MySQL中复制?

来自分类Dev

如何防止我的代码修改或复制

来自分类Dev

如何清除ListView/防止它复制Android?

来自分类Dev

使用 make_shared 防止复制构造

来自分类Dev

如何防止 Emacs 复制 shell 命令?

来自分类Dev

从远程桌面会话复制粘贴时出现编码问题