javasession-fixation

Preventing session fixation in java


I have a web application written in java. We don't use sessions in authentication process. An application scan was ran and it was found that we have possibility of session fixation attack. I am wondering when we are not using session, how do you fix or prevent session fixation? This is what the FORTIFY scan report tells

The following changes were applied to the original request:
• Added parameter 'Cookie_abcxyz.com-443' with the following value 'R3777273810'
• Removed cookie 'Cookie_abcxyz.com-443'

Request/Response:
GET / HTTP/1.1
Content-Length: 43
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: myportal.abcxyz.com
Cookie_abcxyz.com-443=R3777273810
HTTP/1.1 200 OK
Set-Cookie: Cookie_abcxyz.com-443=R3777273810; path=/
Content-Length: 11211
Date: Mon, 13 Feb 2012 17:08:14 GMT
Server: abcxyz
Cache-Control: no-cache
Content-type: text/html

Solution

  • We don't use sessions in authentication process.... I am wondering when we are not using session

    This is irrelevant. I assume that you use session management for your server.This error report indicates that you don't validate the query string for your session identifiers.
    Check here for some examples of how you can be attacked: Session Fixation

    UPDATE:
    I suspected that you didn't use a standard container.I can't tell you what you actually should do since you have not put any code, but from your description and the fact that you got a report for such a finding the problem is that you allow URL re-rewriting and the attacker can use it to "steal" the session by passing in a known session id.
    Broadly speaking what you should do is after the user has logged in then invalidate the current session and create a new one on the spot.As a result the already "stoled" id can not be reused.

    And since the information you provide in the post is so little you should take some time to study some of the following to identify the part of your code that is in problem:
    OWASP 1
    OWASP 2
    OWASP 3
    Java Secure session SO
    ASP as well
    Interesting paper on session fixation
    Some HTTP utilities from OWASP that you could perhaps use
    Session fixation in Java
    Secure Session Management