• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Rob Spoor
  • Bear Bibeault
Saloon Keepers:
  • Jesse Silverman
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • Al Hobbs
  • salvin francis

how to prevent session attack fixation and session hijaking in jsp servlets

 
Ranch Hand
Posts: 82
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i have a login code below in jsp.i will move it to servlets later. now with this code,

how will i prevent session fixation attack and session hijacking

 
Sheriff
Posts: 6872
1312
IntelliJ IDE jQuery Eclipse IDE Postgres Database Tomcat Server Chrome Google App Engine
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Before you get your hands on session attacks, there are SQL injection vulnerabilities in your code that you have to combat at the first place. Moreover your code implies you are storing password in plaintext without having any encryption, which is another danged security glitch. If you worry about session fixation over URLs, you can prevent URL rewriting with a Filter from where you can invalidate the session when you find that the session was identified from jsessionid, by calling isRequestedSessionIdFromURL() of HttpServletRequest.
 
Sheriff
Posts: 67597
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Move the code to a servlet now.

In my experience, "I'll do the right thing later" usually never happens.
 
muntago Richard
Ranch Hand
Posts: 82
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
the code has been encrypted using md5 in another java class file called within the servlets. this jsp is just for testing. sql injection has been resolved using prepared statement, brute force attack has been resolved by validating login attempt. am just concern about how to tackle session fixation attack and session hijacking
 
Devaka Cooray
Sheriff
Posts: 6872
1312
IntelliJ IDE jQuery Eclipse IDE Postgres Database Tomcat Server Chrome Google App Engine
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

muntago Richard wrote:the code has been encrypted using md5....


Code? If you mean passwords are hashed with MD5 that is not a good idea in the modern day. Use salted SHA-256/512 or Bcrypt for a reasonable security.

muntago Richard wrote:am just concern about how to tackle session fixation attack and session hijacking


As is said before preventing Jsessionid does the major part of it. You can also enforce users to re-login when they are about to perform sensitive actions.

The question has nothing to do with JSP. Moving to Servlet forum.
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Pardon my ignorance, but what exactly is a "session fixation attack"?

Bill
 
author & internet detective
Posts: 40801
829
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

William Brogden wrote:Pardon my ignorance, but what exactly is a "session fixation attack"?


It's a form of session hijacking. OWASP describes it better than I can.
 
reply
    Bookmark Topic Watch Topic
  • New Topic