What prevents HttpSession's id from being stolen?
https://stackoverflow.com/questions/4150153
-
08-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
In the Java Servlet API, what is done to ensure that someone's session id is not stolen?
For example, if I had an active session and someone somehow get a hold of my session id, could they use it?
Solution
Nothing prevents it. You get the session ID, you can take part in the session.
In the usual case of cookies this is not a risk in itself. The attacker should not be able to read a user's session cookie unless:
they've got man-in-the-middle capability, in which case you've got much worse problems than just session IDs;
you've left a cross-site-scripting hole, in which case you've got much worse problems than just session IDs;
you're vulnerable to DNS-rebinding/cross-domain-cooking attacks, in which case you should fix it by only allowing known-good
Host:requests.
(Whilst you can try tying sessions to IP addresses, this risks breaking valid sessions due to eg round-robin proxies. IPs can be used as part of a wider strategy for detecting suspicious activity, but on the public internet it's not a good idea always to require each request in a session to come from the same IP.)
Unfortunately in Servlet there is another case, apart from cookies: jsessionid= parameters. Since they appear in the URL itself, that makes them much more leaky (eg via referrers and pasted links). And that's far from the only practical problem with parameter session IDs. They mess up navigation and wreck SEO.
In my opinion jsessionid= URLs are one of Servlet's worst early mistakes, a discredited cookie fallback strategy from yesteryear that shouldn't be used for anything. But certainly they shouldn't be allowed to grant access to any privileged data; consider using HTTP Basic Authentication instead if you need a fallback mechanism for browsers that don't support cookies.
In Servlet 3.0 you can disable jsessionid= URLs easily using <session-config> in the web.xml; unfortunately in previous versions you are left mucking around with filters if you want to properly disable the feature.
OTHER TIPS
Yes, they could use it. Nothing is done to protect it unless you put all your traffic over SSL.
This is how Firesheep works, which recently got a lot of attention for making session stealing easy.
Yes, the Session ID gives someone access to the corresponding session.
You could store the IP used during login in the session and when the IP changes require the user to login again. Additionally (not sure if that's done automatically though) you could do the same for the User Agent - not really increasing safety against malicious attacks though, just against dumb users giving away their sessionid accidentally if it's passed via GET and not a cookie.
