问题描述

我继承了一个非常古老的JSP应用程序（JDK 1.3.1_15）并试图插入会话固定漏洞。

I've inherited a pretty ancient JSP application (JDK 1.3.1_15) and am attempting to plug a session fixation hole.

我成功地使当前无效使用 HttpSession.invalidate（）进行身份验证后的会话，但是在创建新会话时，将重新使用旧会话ID。

I'm successfully invalidating the current session after authentication using HttpSession.invalidate() however when the new session is created, the old session ID is re-used.

<%
// login.jsp
if (authenticated) {
    request.getSession().invalidate();

    // create new session and store data
    HttpSession session = request.getSession();
    session.putValue(...);
    // etc

    response.sendRedirect("logged-in.jsp");
    return;
}
%>

我可以在我的HTTP监视器中看到新的会话分配，它只是再次使用相同的号码。

I can see the new session assignment in my HTTP monitor, it's just using the same number again.

-- Initial request response --
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=6a303082951311647336934;path=/

-- login.jsp request response --
HTTP/1.1 302 Moved Temporarily
Location: http://example.com/logged-in.jsp
Set-Cookie: JSESSIONID=6a303082951311647336934;path=/

在我之前使用 session.invalidate（）第二个 Set-Cookie 响应标头根本不存在。

Prior to me using session.invalidate() the second Set-Cookie response header was not present at all.

有人对如何生成新的会话ID有任何建议吗？我对JRUN4不是很熟悉，但是通过配置文档拖网没有发现任何东西。

Does anybody have any advice on how to generate a new session ID? I'm not very familiar with JRUN4 but trawling through the configuration documentation hasn't turned up anything.

推荐答案

要解决这个问题，您可以使用第二个非持久性cookie作为会话ID，您可以控制其值。我们的想法是生成一个唯一的ID并将其存储在cookie和会话中。通过使用invalidate，尝试使用此cookie尝试对会话执行相同的逻辑。具体而言，在身份验证成功之前，请不要发出将来可以接受的实际标识符。然后创建一个Servlet过滤器，它检查每个请求并将此新cookie的值与存储在会话中的值相匹配。如果它们不匹配，就会发生一些邪恶的事情。我知道这比仅仅依靠 session.invalidate（）来发布一个新的ID要麻烦一些。但考虑到你的约束和JRun的行为，这将提供足够的保护，防止会话固定。

To work around this, you can use a second non-persistent cookie to act as a session id that you can control the value of. The idea is to generate a unique id and store it in both the cookie and the session. Implement the same logic with this cookie that you are attempting to do with the session through using invalidate. Specifically, don't issue the actual identifier that will be accepted for future requests until authentication is successful. Then create a Servlet Filter that checks each request and matches the value of this new cookie to the value stored in the session. If they don't match, something nefarious is going on. I know it is a bit more cumbersome than just relying on session.invalidate() to issue a new id. But given your constraints and JRun's behavior, this will provide sufficient protection against session fixation.

这篇关于会话ID在调用invalidate后重新使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！