File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes how can i make the session id more secure Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "how can i make the session id more secure" Watch "how can i make the session id more secure" New topic
Author

how can i make the session id more secure

saivenkat venkatesan
Greenhorn

Joined: Aug 11, 2006
Posts: 14
how can i make the session id more secure. can i use https instead of http to send request ?how https will help me ?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61413
    
  67

What makes you think it's unsecure?


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
John G Martinson
Greenhorn

Joined: Jul 25, 2005
Posts: 8
how can i make the session id more secure. can i use https instead of http to send request ?how https will help me ?


Well 1st you have to decide what is not secure enough about the session id. This should be something that is handled within the context of the servlet container. Unfortunately https may not help very much in gettting rid of attacks that involve taking advantage of session id cracks.

Which container are you using? and how does it implement the session id?
What kinds of attacks are you worried about? Answer those questions, and then you will start to be able to answer how to make the session id more secure.


A little wiser for the wear.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by John G Martinson:

Unfortunately https may not help very much in gettting rid of attacks that involve taking advantage of session id cracks.


Actually, it can help quite a bit.
Try firing up a packet sniffer and watch the traffic between a browser and a servlet app running under SSL. Then watch the traffic between a browser and a non secure servlet app.
In the latter, you will see the JSPSESSIONID and it's value; in plain text.
In the former, all of that is encrypted.


Non-Secure:


Same app under SSL:



Which looks easier to hack to you?

[BPS: Added newlines to the ssl gobblygook]
[ September 13, 2006: Message edited by: Ben Souther ]

Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
John G Martinson
Greenhorn

Joined: Jul 25, 2005
Posts: 8
Encryption != Securty.

See this article

The problem lies in how the Jsessionid is created an used. If it is created in such a way that a third party can predict it or at least reasonably guess at it, it is not very secure. And remember that Tomcat and other Servlet containers are open source, and malicious people do look at the source code to see what is happening.

So the trick is to make up your own unique session id that cannot be guessed or predicted, find a way to change the sessionid on login or ignore the Jsessionid with in your servlet, put your new sessionid into a different cookie, and make your own session tracking, which may be a royal pain depending on how complex your app is.

The thing is I don't really know how to change the Jsessionid, so if someone else does, that would be good to see.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Tomcat uses separate session IDs for secure and non-secure connections (as, I believe most containers do).
Even guessing the sessionID won't get you access unless you can intercept the SSL session.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Also, if you look at a series of sessionIDs, you'll see that they're not incremental as the article in your link suggests, they're random.
Again, this is a moot point anyway since you can't do anything with the sesssion id generated under a secure connection from a non secure connection anyway.
[ September 13, 2006: Message edited by: Ben Souther ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: how can i make the session id more secure