返回列表 回复 发帖
僵尸道长

版主

Rank: 10Rank: 10Rank: 10

社区积分
3078  
技术积分
6517  
阅读权限
150 
注册时间
2007-5-22 
    论坛徽章 28
IXPUB北京九华山庄2008年会纪念徽章  2008年新春纪念徽章  圣诞节徽章  
楼主
打印
tT
发表于 2008-9-18 09:47 | 只看该作者

JSESSIONID Regeneration in Struts 2

Background

Whenever a user crosses an authentication boundary, the user's session ID should be regenerated. This concept applies to a user logging into an application, logging out, or when a user reauthenticates due to a risk-based authentication process. The regeneration of session IDs is an important practice that helps eliminate session fixation vulnerabilities and may limit the impact of session theft vulnerabilities prior to authentication.


For more information on Session Fixation vulnerabilities and Session ID regeneration practices, please see the OWASP pages below:


http://www.owasp.org/index.php/Session_Fixation
http://www.owasp.org/index.php/S ... ation_of_Session_To

kens
Session ID Regeneration in Traditional Java Web Applications In a J2EE application, the user's JSESSIONID cookie should be regenerated and the previous session should be removed or deleted from the server. Example code below shows how this might be accomplished in a traditional Java web application.
  1. public class ExampleLoginServlet extends HttpServlet {

  3. public void doGet(HttpServletRequest request, HttpServletResponse response)


  6.      throws ServletException, IOException {


  9.      if( //authentication was successful ) {


  12.         request.getSession().invalidate();


  15.         HttpSession session = request.getSession(true);


  18.         session.setAttribute("AUTHENTICATED", new Boolean(true));


  21.         response.sendRedirect("PageRequiringAuthentication.jsp");


  24. //Additional Code Would Normally Follow


  27. Session ID Regeneration in Struts 2 Applications


  30. In Struts 2 applications, developers typically don't directly interact with
  31. the HttpServletRequest, HTTPServletResponse, or HttpSession objects. With
  32. consideration of these factors, the solution discussed above for a
  33. traditional Java web application may not be appropriate for Struts 2.


  36. I did a little research and through trial an error I came up with a Struts 2
  37. specific solution for regenerating JSESSIONIDs. This solution utilizes the
  38. SessionAware interface. Please excuse the unrealistic authentication code...


  41. package nickcoblentzblog.actions.sessions;


  44. import java.util.Map;


  47. import org.apache.struts2.interceptor.SessionAware;


  50. import com.opensymphony.xwork2.ActionContext;


  53. import com.opensymphony.xwork2.ActionSupport;


  56. import org.apache.struts2.dispatcher.SessionMap;


  59. public class Login extends ActionSupport implements SessionAware  {


  62. private String userid;


  65. private String password;


  68. private Map session;


  71. public String execute() {


  74.   if(userid.equals("admin") && password.equals("admin"))  {


  77.      /* Session ID Regeneration: Try #4 */


  80.      ((SessionMap)this.session).invalidate();


  83.      this.session = ActionContext.getContext().getSession();


  86.      /* End Try #4 */


  89.      session.put("AUTHENTICATED", new Boolean(true));


  92.      return SUCCESS;


  95.   }


  98.   else


  101.      return ERROR;



  105. }


  108. public String getUserid() {

  110.   return userid;



  114. }


  117. public void setUserid(String userid) {

  119.   this.userid = userid;



  123. }


  126. public String getPassword() {

  128.   return password;



  132. }


  135. public void setPassword(String password) {

  137.   this.password = password;



  141. }


  144. public void setSession(Map session) {

  146.   this.session = session;



  150. }
  151. }


  154. To test this code, I followed the following procedure.

  156. 1. Cleared all browser cookies
  157. 2. Visited the Login JSP page
  158. 3. Used the Web Developer Toolbar to view my initial JSESSIONID
  159. 4. Logged into the application successfully
  160. 5. Used the Web Developer Toolbar to view my final JSESSIONID


  163. The initial JSESSIONID value was:
  164. AA4996C5E24BB8221BB27B23EA599F34


  167. The final JSESSIONID value was:
  168. 325ED18851B93EBA542D2AE7926E7F8E


  171. Based on these tests this solution appears to work successfully.


  174. In case anyone is curious, here are a couple other ideas I toyed with:


  177. /* Try # 1:


  180. this.request.getSession().invalidate();


  183. this.request.getSession(true);


  186. */


  189. /* Try #2:


  192. HTTPUtilities esapiHTTPUtilities = ESAPI.httpUtilities();


  195. esapiHTTPUtilities.setCurrentHTTP(request, response);


  198. try {


  201. esapiHTTPUtilities.changeSessionIdentifier();



  205. }


  208. catch(Exception e) {

  210. e.printStackTrace();



  214. }


  217. */

  219. /* Try #3:


  222. ((SessionMap)ActionContext.getContext().getSession()).invalidate();


  225. */


  228. Posted by Nick Coblentz
复制代码
收藏 分享 评分
如果2...请深2...
回复 引用

订阅 TOP

返回列表