• Post Reply Bookmark Topic Watch Topic
  • New Topic

Can i regenerate the Session id  RSS feed

 
Hoe Chin
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I want to prevent Session hijacking so i intend to regenerate the session id once the user login to the system. Can i do that because i know once you run the jsf page the session will auto create but how i change the session.getId() value once the user login to the system
 
Himanshu Gupta
Ranch Hand
Posts: 598
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well I am not very sure...

One solution that may work is to invalidate the session when the user logs in and then again creating it. I have never done this way.

Just try it and see.

But i fthis case also how will you stop Session hijacking?
 
Hoe Chin
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i read trhough from the website regenerate the sessionid will be more secure after the user login. Actually i try the solution you mention but if you invalidate that mean it will logout the user den create again the session.
 
Himanshu Gupta
Ranch Hand
Posts: 598
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In that case you should have invalidated the session before the user logs in. That will cause unnecessary overload of creating the sessions whenever there are validations errors.

 
Hoe Chin
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But do you think we cangenerate the session id by ourself ?
Let said i got a method genarate unique id can we set the session id our self rather than put session.getSession(true)
 
Himanshu Gupta
Ranch Hand
Posts: 598
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am talking about creating new session, that's why I said that it will be an overhead.
Well if there is some API which can the regenerate the sessionid then it is all done.

Internally session are maintained as maps which are again in maps and session ID as their keys.
 
Cameron Wallace McKenzie
author and cow tipper
Saloon Keeper
Posts: 4968
1
Hibernate Spring Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm curious. What resource directed you on the path to perform this type of logic to secure you're session? I'm interested. I'm wondering if the suggested resource doesn't provide some kind of design pattern or code samples for performing such a thing?

-Cameron McKenzie
 
Hoe Chin
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
so you means that regenerate the session after the user login to the system wont be more secure? Can you suggest me few way to secure the session? or do you know how to prevent session hijacking sorry i am new to session, i not sure is correct or not please correct me. thanks
 
Cameron Wallace McKenzie
author and cow tipper
Saloon Keeper
Posts: 4968
1
Hibernate Spring Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hoe Chin wrote:So you means that regenerate the session after the user login to the system wont be more secure?


Well, I'm not here to judge what you think is important. It just seems like alot of work, and I'm really not sure how big the payoff is.

If this is a tried, tested and true way to eliminate session hijacking, it would surely be documented somewhere.

I've done alot of work on secure web applications, but I've never seen anyone spend alot of time coding this type of process. But that doesn't mean it's not worth-while, it just means that I've never seen it done before, and as a result, I'm a little bit leery.

-Cameron McKenzie

 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just as a cynical observation. The more convoluted a security framework is, the less secure it tends to be, in my experience.

The standard security infrastructures were designed by people who more or less got paid to do nothing but security and whose training and background was in security. Relatively few amateurs manage to do a better job than they did. Most of the DIY stuff I've encountered, in fact, has all the security hardness of a block of Velveeta sitting on top of a hot automobile in mid-Summer in the sun.
 
Cameron Wallace McKenzie
author and cow tipper
Saloon Keeper
Posts: 4968
1
Hibernate Spring Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Most of the DIY stuff I've encountered, in fact, has all the security hardness of a block of Velveeta sitting on top of a hot automobile in mid-Summer in the sun.


Exactly the point I was trying to make without being so cynical.

-Cameron McKenzie
 
Hoe Chin
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So what is the best way to secure the Session? How to regenerate a new session upon successful authentication or privilege level change.
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The question I'm wresting with is "Does it matter?".

The session ID itself contains no actual secured information. It's just a handle that allows continuity of conversation between client and server in what would otherwise be a completely stateless protocol. Technically, you could use a different session ID for each request/response cycle, although for those of us who pop open alternate windows into the app that could get awkward.

The more important consideration is the security of the channel. You shouldn't be passing secure data between the client and server unless you're using a secure transport and have likewise secured the portions of the app that deal with secure data. If the app is secured, having the session ID wouldn't be sufficient - you'd also have to have the secure channel. About the only way you can interfere is if you can set up a man-in-the-middle exploit and hijack the secure channel.

The only reason I even thought twice about this is because JSF tends to establish sessions long before signon and because JSF postbacks often deal with information that wouldn't otherwise be travelling back and forth.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!