Servlet Session security

Discussion in 'Java' started by A, Jan 14, 2006.

  1. A

    A Guest

    To identify a request urlB as belonging to the same clientX who sent
    request urlA, request to urlA must supply the session id which was given to
    it by the server in any number of ways
    FORM hidden fields, session id in the querystring or with cookies

    My question is this:
    if a client Y manages to find the session id by which ever way, it should
    not be so difficult to pretend to be clientX and attach to clientX's
    httpsession on the server... Probably one way to kind of protect against
    this would be to associate sessionid and ip and deny access to anyother ip
    trying to access the session... but how do popular servelet containers,
    j2ee servers handle this ?

    This mystifies me- perhaps its something simple but I cant figure it out.
    On yahoo for instance if I login to my mail.yahoo.com but then type in
    another url in the yahoo domain, say yp.yahoo.com,
    (with cookies turned off, with no session id being sent to the server
    through the url) it still identifies me and greets me by my id.

    How does the server know to find my name in my authenticated session and
    serve a personalized page ?

    Thanks
    A, Jan 14, 2006
    #1
    1. Advertising

  2. A

    mgungora Guest

    It's done by an "authentication cookie". The usual method is, the
    server creates a "ticket" when you login in and stores it in a cookie
    for all your same-domain requests from the same machine.
    mgungora, Jan 14, 2006
    #2
    1. Advertising

  3. A

    Juha Laiho Guest

    A <> said:
    >if a client Y manages to find the session id by which ever way, it should
    >not be so difficult to pretend to be clientX and attach to clientX's
    >httpsession on the server... Probably one way to kind of protect against
    >this would be to associate sessionid and ip and deny access to anyother ip
    >trying to access the session... but how do popular servelet containers,
    >j2ee servers handle this ?


    .... but binding session id to the connection source IP is problematic,
    because:
    - client address can change between two successive requests (DHCP
    re-negotiation with address renewal)
    - client can use a clustered proxy, which shows as a bunch of
    source addresses

    .... and thus, it is deemed that just making it hard enough to guess the
    session id is enough. SSL (with trusted server certificate) is used when
    server non-repudiation and content trustworthiness/secrecy are desired.
    SSL wil also protect the content of session ids over the network (but
    of course not on the client).

    >This mystifies me- perhaps its something simple but I cant figure it out.
    >On yahoo for instance if I login to my mail.yahoo.com but then type in
    >another url in the yahoo domain, say yp.yahoo.com,
    >(with cookies turned off, with no session id being sent to the server
    >through the url) it still identifies me and greets me by my id.
    >
    >How does the server know to find my name in my authenticated session and
    >serve a personalized page ?


    Hmm.. SSL connection can well have a session id (mostly to avoid costly
    SSL session re-negotiation for each request), which is invisible at the
    HTTP level (but still usable on the server side) - if mail.yahoo.com is
    SSL-protected, that is; I didn't check.
    --
    Wolf a.k.a. Juha Laiho Espoo, Finland
    (GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
    PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
    "...cancel my subscription to the resurrection!" (Jim Morrison)
    Juha Laiho, Jan 15, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andy Fish
    Replies:
    4
    Views:
    2,411
    Andy Fish
    Dec 17, 2003
  2. Sean Clarke
    Replies:
    1
    Views:
    1,891
    Sudsy
    Jan 7, 2004
  3. circuit_breaker
    Replies:
    2
    Views:
    1,993
    Jack Jia
    Apr 4, 2004
  4. DiscoStu
    Replies:
    0
    Views:
    498
    DiscoStu
    Jul 8, 2004
  5. Robert Maas, see http://tinyurl.com/uh3t

    In servlet: Given session-ID, how to retrieve session object?

    Robert Maas, see http://tinyurl.com/uh3t, Jun 5, 2005, in forum: Java
    Replies:
    2
    Views:
    5,900
    Robert Maas, see http://tinyurl.com/uh3t
    Jun 26, 2005
Loading...

Share This Page