• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

how can i make the session id more secure

 
saivenkat venkatesan
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
how can i make the session id more secure. can i use https instead of http to send request ?how https will help me ?
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65124
91
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What makes you think it's unsecure?
 
John G Martinson
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
how can i make the session id more secure. can i use https instead of http to send request ?how https will help me ?


Well 1st you have to decide what is not secure enough about the session id. This should be something that is handled within the context of the servlet container. Unfortunately https may not help very much in gettting rid of attacks that involve taking advantage of session id cracks.

Which container are you using? and how does it implement the session id?
What kinds of attacks are you worried about? Answer those questions, and then you will start to be able to answer how to make the session id more secure.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by John G Martinson:

Unfortunately https may not help very much in gettting rid of attacks that involve taking advantage of session id cracks.


Actually, it can help quite a bit.
Try firing up a packet sniffer and watch the traffic between a browser and a servlet app running under SSL. Then watch the traffic between a browser and a non secure servlet app.
In the latter, you will see the JSPSESSIONID and it's value; in plain text.
In the former, all of that is encrypted.


Non-Secure:


Same app under SSL:



Which looks easier to hack to you?

[BPS: Added newlines to the ssl gobblygook]
[ September 13, 2006: Message edited by: Ben Souther ]
 
John G Martinson
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Encryption != Securty.

See this article

The problem lies in how the Jsessionid is created an used. If it is created in such a way that a third party can predict it or at least reasonably guess at it, it is not very secure. And remember that Tomcat and other Servlet containers are open source, and malicious people do look at the source code to see what is happening.

So the trick is to make up your own unique session id that cannot be guessed or predicted, find a way to change the sessionid on login or ignore the Jsessionid with in your servlet, put your new sessionid into a different cookie, and make your own session tracking, which may be a royal pain depending on how complex your app is.

The thing is I don't really know how to change the Jsessionid, so if someone else does, that would be good to see.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tomcat uses separate session IDs for secure and non-secure connections (as, I believe most containers do).
Even guessing the sessionID won't get you access unless you can intercept the SSL session.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Also, if you look at a series of sessionIDs, you'll see that they're not incremental as the article in your link suggests, they're random.
Again, this is a moot point anyway since you can't do anything with the sesssion id generated under a secure connection from a non secure connection anyway.
[ September 13, 2006: Message edited by: Ben Souther ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic