| Author |
how can i make the session id more secure
|
saivenkat venkatesan
Greenhorn
Joined: Aug 11, 2006
Posts: 14
|
|
|
how can i make the session id more secure. can i use https instead of http to send request ?how https will help me ?
|
 |
Bear Bibeault
Author and ninkuma
Marshal
Joined: Jan 10, 2002
Posts: 56150
|
|
|
What makes you think it's unsecure?
|
[Smart Questions] [JSP FAQ] [Books by Bear] [Bear's FrontMan] [About Bear]
|
|
John G Martinson
Greenhorn
Joined: Jul 25, 2005
Posts: 8
|
|
how can i make the session id more secure. can i use https instead of http to send request ?how https will help me ?
Well 1st you have to decide what is not secure enough about the session id. This should be something that is handled within the context of the servlet container. Unfortunately https may not help very much in gettting rid of attacks that involve taking advantage of session id cracks.
Which container are you using? and how does it implement the session id?
What kinds of attacks are you worried about? Answer those questions, and then you will start to be able to answer how to make the session id more secure.
|
A little wiser for the wear.
|
|
Ben Souther
Sheriff
Joined: Dec 11, 2004
Posts: 13410
|
|
Originally posted by John G Martinson:
Unfortunately https may not help very much in gettting rid of attacks that involve taking advantage of session id cracks.
Actually, it can help quite a bit.
Try firing up a packet sniffer and watch the traffic between a browser and a servlet app running under SSL. Then watch the traffic between a browser and a non secure servlet app.
In the latter, you will see the JSPSESSIONID and it's value; in plain text.
In the former, all of that is encrypted.
Non-Secure:
Same app under SSL:
Which looks easier to hack to you?
[BPS: Added newlines to the ssl gobblygook]
[ September 13, 2006: Message edited by: Ben Souther ]
|
Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
|
|
John G Martinson
Greenhorn
Joined: Jul 25, 2005
Posts: 8
|
|
Encryption != Securty.
See this article
The problem lies in how the Jsessionid is created an used. If it is created in such a way that a third party can predict it or at least reasonably guess at it, it is not very secure. And remember that Tomcat and other Servlet containers are open source, and malicious people do look at the source code to see what is happening.
So the trick is to make up your own unique session id that cannot be guessed or predicted, find a way to change the sessionid on login or ignore the Jsessionid with in your servlet, put your new sessionid into a different cookie, and make your own session tracking, which may be a royal pain depending on how complex your app is.
The thing is I don't really know how to change the Jsessionid, so if someone else does, that would be good to see.
|
|
Ben Souther
Sheriff
Joined: Dec 11, 2004
Posts: 13410
|
|
Tomcat uses separate session IDs for secure and non-secure connections (as, I believe most containers do).
Even guessing the sessionID won't get you access unless you can intercept the SSL session.
|
|
Ben Souther
Sheriff
Joined: Dec 11, 2004
Posts: 13410
|
|
Also, if you look at a series of sessionIDs, you'll see that they're not incremental as the article in your link suggests, they're random.
Again, this is a moot point anyway since you can't do anything with the sesssion id generated under a secure connection from a non secure connection anyway.
[ September 13, 2006: Message edited by: Ben Souther ]
|
|
 |
|
|
subject: how can i make the session id more secure
|
|
|
0
