This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
What are the best practices to avoid session hijacking in java based web application. is implementing SSL certificates more than enough?For my weblogic server, SSL is installed and I have cross-verified my data that is being transmitted over the network using wireshark tool, which shows that my data (request) is encrypted the moment it goes out of my PC and it ensures that there is no possibility of hijacking session id or any other sensitive data over the network......I just wanted to know still if there is any possibility of hijacking the session id or data in any manner.
"no possibility" is going to be impossible to achieve. You want to instead focus on "acceptable risk".
Two potential points of vulnerability include a brute-force attack on your key, or simply the theft of your key. While brute-force is extremely difficult (and time consuming), you can't rule it out as "no possibility". Likewise, if someone were to gain access to your server & steal your private key, they could potentially use your private key to hijack a session. The key exchange process used by SSL would still make this very difficult to hijack (easier to pretend to be your server and start a NEW session), but it should not be considered impossible.
Most industry, including the Payment Card Industry, consider using SSL for transport secure enough to be an "acceptable risk".
In preparing for battle I have always found that plans are useless, but planning is indispensable. -- Dwight D. Eisenhower
Have you tried setting sessionid in secure cookie?
That way, you will not be able to recreate the request using session info, becuase you will be checking the cookie info as well.
ocpjp 6 (86%)
Joined: Dec 08, 2009
A Phatak - I am not able to get you, what do you mean by "checking the cookie info as well", though we put the session id in the secure cookie is still readable and accessible from within the logged in users PC.