aspose file tools
The moose likes Servlets and the fly likes Session tampering Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login


Win a copy of The Mikado Method this week in the Agile and other Processes forum!
JavaRanch » Java Forums » Java » Servlets
Reply Bookmark "Session tampering" Watch "Session tampering" New topic
Author

Session tampering

roel croonenberghs
Greenhorn

Joined: May 28, 2009
Posts: 10
posted private message
0
Quote
Hi,

In my application, I have a JSESSIONID for access control. Now when I access my app with chrome as user 1 and take over the JSESSIONID and then go to firefox, login as user2 and alter the JSESSIONID to make the value the same as for user1. From there on I'm identified as user1.
I know one should have access to the app /computer user1 has used. And user1 must not be logged out (just closed browser) and no session timeout has occured. To be able to exploit this sessionid tampering.
But is there a way to prevent it? And knowing that the JSESSIONID is not valid.
Sagar Rohankar
Ranch Hand

Joined: Feb 19, 2008
Posts: 2896
    
    1

I like...
Java Spring Ubuntu
posted private message
0
Quote
Try to implement one of the "Prevention" listed here: http://en.wikipedia.org/wiki/Session_hijacking

[LEARNING bLOG] | [Freelance Web Designer] | [and "Rohan" is part of my surname]
 
I agree. Here's the link: http://ej-technologies/jprofiler - if it wasn't for jprofiler, we would need to run our stuff on 16 servers instead of 3.
 
subject: Session tampering
 
Similar Threads
Session scoped attributes in different apps
Session Fixation Attack with Tomcat 7
Lightweight vs. Heavyweight objects
Confused on http session..
Hibernate Query