• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Session tampering

 
roel croonenberghs
Greenhorn
Posts: 10
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

In my application, I have a JSESSIONID for access control. Now when I access my app with chrome as user 1 and take over the JSESSIONID and then go to firefox, login as user2 and alter the JSESSIONID to make the value the same as for user1. From there on I'm identified as user1.
I know one should have access to the app /computer user1 has used. And user1 must not be logged out (just closed browser) and no session timeout has occured. To be able to exploit this sessionid tampering.
But is there a way to prevent it? And knowing that the JSESSIONID is not valid.
 
Sagar Rohankar
Ranch Hand
Posts: 2904
1
Java Spring Ubuntu
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Try to implement one of the "Prevention" listed here: http://en.wikipedia.org/wiki/Session_hijacking
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic