This week's giveaway is in the EJB and other Java EE Technologies forum. We're giving away four copies of EJB 3 in Action and have Debu Panda, Reza Rahman, Ryan Cuprak, and Michael Remijan on-line! See this thread for details.
how can i make the session id more secure. can i use https instead of http to send request ?how https will help me ?
Well 1st you have to decide what is not secure enough about the session id. This should be something that is handled within the context of the servlet container. Unfortunately https may not help very much in gettting rid of attacks that involve taking advantage of session id cracks.
Which container are you using? and how does it implement the session id? What kinds of attacks are you worried about? Answer those questions, and then you will start to be able to answer how to make the session id more secure.
Unfortunately https may not help very much in gettting rid of attacks that involve taking advantage of session id cracks.
Actually, it can help quite a bit. Try firing up a packet sniffer and watch the traffic between a browser and a servlet app running under SSL. Then watch the traffic between a browser and a non secure servlet app. In the latter, you will see the JSPSESSIONID and it's value; in plain text. In the former, all of that is encrypted.
Same app under SSL:
Which looks easier to hack to you?
[BPS: Added newlines to the ssl gobblygook] [ September 13, 2006: Message edited by: Ben Souther ]
The problem lies in how the Jsessionid is created an used. If it is created in such a way that a third party can predict it or at least reasonably guess at it, it is not very secure. And remember that Tomcat and other Servlet containers are open source, and malicious people do look at the source code to see what is happening.
So the trick is to make up your own unique session id that cannot be guessed or predicted, find a way to change the sessionid on login or ignore the Jsessionid with in your servlet, put your new sessionid into a different cookie, and make your own session tracking, which may be a royal pain depending on how complex your app is.
The thing is I don't really know how to change the Jsessionid, so if someone else does, that would be good to see.
Also, if you look at a series of sessionIDs, you'll see that they're not incremental as the article in your link suggests, they're random. Again, this is a moot point anyway since you can't do anything with the sesssion id generated under a secure connection from a non secure connection anyway. [ September 13, 2006: Message edited by: Ben Souther ]