Fix session ID not updated in Java or JSP vulnerability

Scanning the vulnerability with IBM Rational AppScan is described in part:

[1/2] Session ID not updated
Severity: High
Test Type: Application
Vulnerable URLs: * * *
Repair task: Do not accept externally created session IDs.
Session ID not updated
Application
WASC Threat Classification
Authorization Type: Session Set
Http://www.webappsec.org/projects/threat/classes/session_fixation.shtml
CVE references
Not applicable
Security risks
Client sessions and cookies may be stolen or manipulated, and they may be used to mimic legitimate users, enabling hackers to
Identity to view or change user records and perform transactions
Possible causes
WEB application Programming or configuration is not secure ...

1. Causes of the vulnerability:

AppScan scans the cookie before and after the "sign-in Behavior", which records the jsessionoid (or other cookie ID, depending on the app). After the logon behavior occurs, if this value in the cookie does not change, it is determined to be a "session ID not updated" vulnerability.

2. In AppScan, there are suggestions for changes to "session ID not updated":

General revision recommendations always generate a new session for users to log on when they successfully authenticate. Prevents the user from manipulating the session ID. Do not accept the session ID provided by the user's browser when they log on.

3. Revise the following changes to the recommendation as follows:

Reference 1-

At logon:

<%session.invalidate (); cookie[] Cookies=request.getcookies (); if (null! =cookie)    {for (int i=0;i<cookies.length;i++)        {  if ("Jsessionid"). Equalsignorecase (Cookies[i].getname ()) {            cookies[i].setmaxage(0);            Response.addcookie (Cookies[i]);     }} %>

When exiting:

<%Reponse.setheader ("Pragma", "No-cache"); Response.setheader ("Cache-control", "No-cache" ); Response.setdateheader ("Expires", 0); session=request.getsession (true); Session.invalidate (); %>

Spring security realizes the idea:

The first step: Extract all the attributes and values from the old session.

Step two: Invalidate the old session.

Step three: Generate a new session and assign all the properties and values of the old session to the new session.

 /*** Called to extract the existing attributes from the session, prior to invalidating it. If * {@codeMigrateattributes} is set to {@codefalse}, only Spring Security attributes'll be retained.     * All application attributes'll be discarded.     * <p> * You can override this method to control exactly what's transferred to the new session. *     * @paramsession the session from which the attributes should is extracted *@returnThe map of session attributes which should is transferred to the new session*/    protectedMap<string, object>Extractattributes (HttpSession session) {returnCreatemigratedattributemap (session); }    FinalHttpSession applysessionfixation (httpservletrequest request) {HttpSession session=request.getsession (); String Originalsessionid=Session.getid (); Map<string, object> attributestomigrate =Extractattributes (session);        Session.invalidate (); Session= Request.getsession (true);//We now have a new sessionTransferattributes (Attributestomigrate, session); returnsession; }

Note: Session = Request.getsession (true); We now have a new session

GetSession

Public HttpSession GetSession(Boolean Create)

Returns the current HttpSession associated with this request or,

If there is no current session create and is true, returns a new session.

If create false is and the request have no valid HttpSession , this method returns null .

To make sure the session was properly maintained, you must call this method before the response is committed. If the container is using the cookie to maintain session integrity and is asked to create a new session when the response is Committed, an illegalstateexception is thrown.

Parameters: true -To create a new session for this request if necessary; To false return null if there's no current session

Returns: The associated with this request, or if is and the HttpSession request have null create false no valid session.

Add: In the login or exit using the Session.invalidate method to modify the answer mark is not updated, the method is the simplest, the use of Spring-security mode repair method is more comprehensive.

Reprinted from: http://www.cnblogs.com/davidwang456/p/3615304.html

Reference 2-
First, add a new class, Newsessionfilter.

<span style= "Font-family:comic Sans MS;" > PackageCom.test.web.common;Importjava.io.IOException;Importjava.util.Enumeration;ImportJava.util.HashMap;ImportJava.util.Iterator;ImportJava.util.Map;ImportJava.util.Map.Entry;ImportJavax.servlet.Filter;ImportJavax.servlet.FilterChain;ImportJavax.servlet.FilterConfig;Importjavax.servlet.ServletException;Importjavax.servlet.ServletRequest;ImportJavax.servlet.ServletResponse;Importjavax.servlet.http.HttpServletRequest;Importjavax.servlet.http.HttpSession;Importorg.apache.shiro.SecurityUtils;ImportOrg.slf4j.Logger;Importorg.slf4j.LoggerFactory; Public classNewsessionfilterImplementsFilter {PrivateString URL; Private Static FinalLogger Logger = Loggerfactory.getlogger (newsessionfilter.class);  Public Static FinalString new_session_indicator = "Com.cacss.sc.web.common.NewSessionFilter";  Public Static voidnewsession () {HttpSession session= (HttpSession) securityutils.getsubject (). GetSession (true); Session.setattribute (New_session_indicator,true); } @Override Public voiddestroy () {System.out.println ("Newsessionfilter destory"); } @Override Public voidDoFilter (servletrequest request, servletresponse response, Filterchain chain)throwsIOException, servletexception {System.out.println ("Newsessionfilter DoFilter"); if(Requestinstanceofhttpservletrequest) {HttpServletRequest HttpRequest=(httpservletrequest) request; //URL relative address to fetchString URL =Httprequest.getrequesturi ();              System.out.println (URL); if(Httprequest.getsession ()! =NULL) {System.out.println ("Newsessionfilter doFilter httprequest.getsession (). GetId ()" +httprequest.getsession (). GetId ()); //--------Copy Session to TEMP variableHttpSession session =httprequest.getsession (); HashMap Old=NewHashMap (); Enumeration Keys=(enumeration) Session.getattributenames ();  while(Keys.hasmoreelements ()) {String key=(String) keys.nextelement (); if(!new_session_indicator.equals (Key))                        {Old.put (Key, Session.getattribute (key));                    Session.removeattribute (key); }                }                                if(Httprequest.getmethod (). Equals ("POST") && httprequest.getsession ()! =NULL&&!httprequest.getsession (). IsNew () &&Httprequest.getrequesturi (). EndsWith (URL))                    {session.invalidate (); Session=httprequest.getsession (true); Logger.debug ("New Session:" +Session.getid ()); }                                //-----------------Copy Session                 for(Iterator it =Old.entryset (). iterator (); It.hasnext ();) {Map.entry Entry=(Entry) it.next ();                Session.setattribute (String) Entry.getkey (), Entry.getvalue ());        }}} chain.dofilter (request, response); System.out.println ("Newsessionfilter DoFilter End"); } @Override Public voidInit (Filterconfig filterconfig)throwsservletexception {System.out.println ("Newsessionfilter Init"); System.out.println ("Newsessionfilter Init End"); }}</span>

Then, configure Filter in Web. Xml.

<span style= "Font-family:comic Sans MS;" ><filter>    <filter-name>NewSessionFilter</filter-name>    <filter-class >com.cacss.sc.web.common.newsessionfilter</filter-class></filter><filter-mapping >    <filter-name>NewSessionFilter</filter-name>    <url-pattern>/login</url-pattern ></filter-mapping></span>

After this processing, and then start the application server, the login before and after the Jsessionid is already different, that is, the session identity is not updated problems are resolved.

Reprinted from: http://blog.csdn.net/happylee6688/article/details/42104375

The above two methods are reference, please try with the actual.

Fix session ID not updated in Java or JSP vulnerability