It's not a secret anymore!
The moose likes Servlets and the fly likes Session Hijacking Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Session Hijacking" Watch "Session Hijacking" New topic

Session Hijacking

Pawan Komaram
Ranch Hand

Joined: Dec 08, 2009
Posts: 91

What are the best practices to avoid session hijacking in java based web application. is implementing SSL certificates more than enough?For my weblogic server, SSL is installed and I have cross-verified my data that is being transmitted over the network using wireshark tool, which shows that my data (request) is encrypted the moment it goes out of my PC and it ensures that there is no possibility of hijacking session id or any other sensitive data over the network......I just wanted to know still if there is any possibility of hijacking the session id or data in any manner.

Pete Nelson
Ranch Hand

Joined: Aug 30, 2010
Posts: 147

"no possibility" is going to be impossible to achieve. You want to instead focus on "acceptable risk".

Two potential points of vulnerability include a brute-force attack on your key, or simply the theft of your key. While brute-force is extremely difficult (and time consuming), you can't rule it out as "no possibility". Likewise, if someone were to gain access to your server & steal your private key, they could potentially use your private key to hijack a session. The key exchange process used by SSL would still make this very difficult to hijack (easier to pretend to be your server and start a NEW session), but it should not be considered impossible.

Most industry, including the Payment Card Industry, consider using SSL for transport secure enough to be an "acceptable risk".

In preparing for battle I have always found that plans are useless, but planning is indispensable. -- Dwight D. Eisenhower
A Phatak

Joined: Sep 22, 2011
Posts: 24
Have you tried setting sessionid in secure cookie?
That way, you will not be able to recreate the request using session info, becuase you will be checking the cookie info as well.

ocpjp 6 (86%)
Pawan Komaram
Ranch Hand

Joined: Dec 08, 2009
Posts: 91
A Phatak - I am not able to get you, what do you mean by "checking the cookie info as well", though we put the session id in the secure cookie is still readable and accessible from within the logged in users PC.
I agree. Here's the link:
subject: Session Hijacking
It's not a secret anymore!