Insecure session management
Need
Secure session management
Context
- Usage of Java for building cross-platform applications
- Usage of javax.servlet for building Java web applications with servlets
- Usage of java.io for input and output operations in Java
Description
Non compliant code
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class SessionServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
HttpSession session = request.getSession(true);
String username = request.getParameter("username");
session.setAttribute("username", username);
}
}
The above code demonstrates a servlet that creates a new session or uses an existing one when a GET request is made. The session attribute "username" is set according to the "username" parameter from the request.
The vulnerability here is that the session token does not expire even when the user terminates the session. This is because the servlet does not have any mechanism to invalidate or expire the session token when the user's session ends.
This can lead to potential security risks. For example, if an attacker is able to capture a user's session token, they can use it to impersonate the user and make requests on their behalf, even after the user has ended their session.
In order to fix this vulnerability, we should add a mechanism to invalidate the session when the user logs out or after a certain period of inactivity.
Steps
- Implement session timeout
- Regenerate session token on login
- Invalidate session on logout
- Use secure flag for session cookies
- Use HttpOnly flag for session cookies
- Encrypt session data
Compliant code
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class SessionServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
HttpSession session = request.getSession(true);
String username = request.getParameter("username");
session.setAttribute("username", username);
session.setMaxInactiveInterval(30*60); // Session timeout after 30 minutes
}
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate(); // Invalidate session on logout
}
}
public void doLogin(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate(); // Invalidate old session
}
session = request.getSession(true); // Create new session
String username = request.getParameter("username");
session.setAttribute("username", username);
session.setMaxInactiveInterval(30*60); // Session timeout after 30 minutes
}
}
The updated code now includes a session timeout, session invalidation on logout, and session regeneration on login.
-
setMaxInactiveInterval(30*60): This sets the session to timeout after 30 minutes of inactivity. This means if the user does not make any request within 30 minutes, the session will be invalidated automatically. -
session.invalidate(): This method invalidates the current session and unbinds any objects associated with it. This is used when the user logs out to ensure that the session cannot be used after logout. -
In the
doLoginmethod, before creating a new session, any existing session is invalidated. This ensures that a new session is created every time a user logs in, preventing session fixation attacks.
Please note that this code does not include the use of secure and HttpOnly flags for session cookies, and encryption of session data. These features need to be implemented at the server configuration level or using specific libraries depending on your technology stack.