All geek questions in one place

JSESSION / HTTPSession and application session id

In a web application based on MVV MVV and authorization model, we recently switched to Spring MVC. As part of this step, we are also considering moving from a locally generated GUID that is passed with each request for a cookie-based session identifier.

At first glance, it seems that in our case this will be a big drawback, since the standard JSESSION / HttpSession seems to be the root of all security threats:

  • Session commit (in an existing code session, it is created only after a successful login, so we never need to cancel () the sessions.
  • A CSRF session is never transmitted as a cookie, so this is never a risk (and god, this is a problem that needs to be dealt with, since there is no real structure or common solution, HDIV and CSRFGuard were checked there).
  • Testing Usage - QA can easily have multiple users with multiple roles connecting to the same server, which is not possible with JSESSION.
  • As a result of creating and canceling an HTTPSession in various containers (Weblogic, JBOSS, and Websphere)
  • Inconsistent JSession processing when switching between HTTP to HTTPS.

So, besides the obvious benefit of being standard, any clues as to why I want to switch to the JSESSION route?

+4
source share
2 answers

After a long analysis and testing of the discussions, it seems that in my case, not a RESTfull application, with a desktop PC, for example, with the RIA interface, and also with a wide discussion of security issues, JSESSION is not the way (CSRF basically) and the best option This is the BODY built-in key. This means, however, that the application will be forced to handle timeouts and session cancellations.

0
source

Not quite a definitive answer about why you should or should not use jsession, but give some comments regarding your problems:

  • Your application should not rely on a session to exist or not. It should rely on the fact that the session is valid in accordance with the specific rules that you imposed on it (the user is authenticated, the roles assigned to this user, etc.)
  • CSRF doesnโ€™t really matter much if you donโ€™t use GET for reasonable actions, and as you mentioned Spring MVC, itโ€™s easy to achieve with it.
  • True, if you rely on only one browser. And as a side note, while manual testing remains mandatory in some situations, many use cases can benefit from automation and thus reduce the impact of the transition from role to role.
  • Never run into a problem. But I tried to keep the session content as small as possible.
  • And this is good. This may prevent you from giving up a secure connection without noticing it.

Now, no matter which option you choose, there will always be some flaws. Having a UUID in every request (and therefore potentially in every GET URL) prevents users from easily using bookmarks. Also, you do not need to save your session.

+1
source

Source: https://habr.com/ru/post/1342284/

More articles:


All Articles