• Post Reply Bookmark Topic Watch Topic
  • New Topic

session fixation  RSS feed

 
Parminder Dhillon
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please help in implementing session fixation in java.

A countermeasure against session fixation is to generate a new session
identifier (SID) on each request. Thus, although attacker may trick a user into accepting a known SID, the SID will be invalid when attacker attempts to re-use the SID. Implementation of such a system is simple, as demonstrated by the following:

� Get previous Session Identifier OLD_SID from HTTP request.
� If OLD_SID is null, empty, or no session with SID=OLD_SID exists, create a
New session.
� Generate new session identifier NEW_SID with a secure random number
generator.
� Let session be identified by SID=NEW_SID (and no longer by SID=OLD_SID)
� Transmit new SID to client.

Parminder
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You also keep the same session but include a request counter. eg in each request the person needs to increment the counter by one (which is done via the app, not manually by the client) and the number is also kept on the server side. If they disagree or get out of synch the session is discarded.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!