Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Session Hijacking

 
Pawan Komaram
Ranch Hand
Posts: 91
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi


What are the best practices to avoid session hijacking in java based web application. is implementing SSL certificates more than enough?For my weblogic server, SSL is installed and I have cross-verified my data that is being transmitted over the network using wireshark tool, which shows that my data (request) is encrypted the moment it goes out of my PC and it ensures that there is no possibility of hijacking session id or any other sensitive data over the network......I just wanted to know still if there is any possibility of hijacking the session id or data in any manner.

Thanks!!
 
Pete Nelson
Ranch Hand
Posts: 147
Debian Eclipse IDE Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"no possibility" is going to be impossible to achieve. You want to instead focus on "acceptable risk".

Two potential points of vulnerability include a brute-force attack on your key, or simply the theft of your key. While brute-force is extremely difficult (and time consuming), you can't rule it out as "no possibility". Likewise, if someone were to gain access to your server & steal your private key, they could potentially use your private key to hijack a session. The key exchange process used by SSL would still make this very difficult to hijack (easier to pretend to be your server and start a NEW session), but it should not be considered impossible.

Most industry, including the Payment Card Industry, consider using SSL for transport secure enough to be an "acceptable risk".
 
A Phatak
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Have you tried setting sessionid in secure cookie?
That way, you will not be able to recreate the request using session info, becuase you will be checking the cookie info as well.
 
Pawan Komaram
Ranch Hand
Posts: 91
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A Phatak - I am not able to get you, what do you mean by "checking the cookie info as well", though we put the session id in the secure cookie is still readable and accessible from within the logged in users PC.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic