Session Swapping (Jack becomes Jane)

[richardsosborn]

We have an issue with our web application. It's a Struts/Tiles/DAO app
spread on multiple Sun ONE web servers and one Sun ONE app server.

When a user clicks one tile's JSP "too long" (IE left nav) they receive
the session data as though they were another user.

I've read the archive on it being a network problem. And the Sun site
has a bug for losing sessions altogether. Just wondering if anyone has
any other light to share.

 

[Oliver Wong]

We have an issue with our web application. It's a Struts/Tiles/DAO app
spread on multiple Sun ONE web servers and one Sun ONE app server.

When a user clicks one tile's JSP "too long" (IE left nav) they receive
the session data as though they were another user.

I've read the archive on it being a network problem. And the Sun site
has a bug for losing sessions altogether. Just wondering if anyone has
any other light to share.

I don't know how your framework implements session handling, but this is
a very big security issue. Imagine if you were browsing through eBay, and
all of a sudden, you found yourself logged in as someone else. You could
place bids of several thousands or millions of dollars through someone
else's credit card account, etc.

It's much safer to just lose the session object, thus "kicking" the user
out and forcing them to log back in.

Most session handling implementations I've seen assign a randomly chosen
session key to each user. The range of possible keys is large so that even
if a million hackers were all pounding on your server trying to guess at
other people's keys, the probability of them guessing a key assigned to
someone else is very low.

- Oliver

 

[vishalsingh20]

We had a problem in our application where receipts were printing
containing data of a different store for a transaction in another
store. We were on Weblogic 8.1, Struts 1.0, JDK 1.4.
Steps/Resolutions:
1. JSP pages : We verified that the JSP pages were not directly
changing any data - that is the data was synchronized.
2. Session Handling/Mapping per User-Id: One can add a map of sessions
and user-ids or IPs if it is an intranet application.
3. Session Verification per Request : You can use the synchronizer
token pattern :
http://www.javaworld.com/javaworld/javatips/jw-javatip136.html. This is
used for double submit suppression - but you can send the session id as
a token and then verify that it matches the received token from the
request with the token that was sent. That way you can eliminate the
issue of session/data switching and data duplication.