wood burning stoves 2.0*
The moose likes Security and the fly likes getting session using burp suite professional Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "getting session using burp suite professional " Watch "getting session using burp suite professional " New topic
Author

getting session using burp suite professional

vijay jamadade
Ranch Hand

Joined: May 12, 2008
Posts: 240
hi,
we are doing penetration testing for our application. for logout i am invalidating session using session.invalidate but still penetration testing people are able to record the session id from the active session and someway they are accessing the application after logout using burp suite tool by accessing the same recorded session id.

problem hereis i am not getting why they are able to get the session for recorded session id even after logout on container. i guess session.invalidate will destroy the session on server. i am using weblogic server. is it possible?


Regards, Vijay Jamadade.
( Nothing is Impossible.)
vijay jamadade
Ranch Hand

Joined: May 12, 2008
Posts: 240
issue is i am invalidating the weblogic session using session.invalidate but still session is not getting destryoed on server. so recording session id and using tool like burp suite i am able to get inside the application with the old session.

now i found out that session destroy takes some time on server depending on the value set on admin sever for that application. i set it to 2 sec. still it is taking around 3-4 minutes to destroy it. is it that slow task?
 
wood burning stoves
 
subject: getting session using burp suite professional
 
Similar Threads
Session variable
Penetration Testing
Penetration Testing
alternative to session.invalidate() in netscape
alternative to session.invalidate() in netscape