I'm working on a web application with spring mvc. I put profile data about my users in a session variable.
for( AdminProfil ap : admin.getAdminProfils()){
if(ap.getProfil().getNomProfil().equals("root")){
session.setAttribute( "root", true );
}
else if(ap.getProfil().getNomProfil().equals("saisie")){
session.setAttribute( "saisie", true );
}
else if(ap.getProfil().getNomProfil().equals("controle")){
session.setAttribute( "controle", true );
}
else if(ap.getProfil().getNomProfil().equals("validation")){
session.setAttribute( "validation", true );
}
}
and in my jsp page :
<c:if test="${ sessionScope['saisie'] }">
......
</c:if>
I want to know if the session variable can be modified by one of
my users or someone else who wants to hack my web application?
If the session can be modified what other solution can I use to stop a user from changing their profile?
Is it okay to use a session variable in my case or are cookies better?
I want to know if the session variable can be modified by one of my
users or someone else who want to hack my web application ?
No, session variables cannot be modified by one of your users or someone else
However, if you're not careful, browsers can be tricked into using the wrong session cookie, and session cookies can be stolen:
Set the httpOnly flag on your session cookie
Change the user's session id after they sign in to avoid session fixation
Use HTTPS and set the secure flag on your session cookie to avoid session hijacking
Protect your site against XSS and XSRF with a WAF like modsecurity
I'd recommend using Spring Security 4 instead of rolling your own system though.
It's okey to use session variable in my case or the cookies are better
?
Yes it's okay. No cookies are not better, as cookies can be modified by a user or someone else.
Related
I have a situation where I need to create a cookie when a session is created, and when the session is removed I have to remove the cookie. When a user manually ends a session I can remove the cookie in the doGet method of the logout servlet. But when the session times out I am not able to do that, so I am planning to sue the HttpSessionListener for this, but I have seen some where that we cannot do that. Is there any other way than the one mentioned here.
Really how do want to remove a cookie when you do not access to the user?!?!
The only solution is setting cookie live-time to the exact time your cookie session is(1 hour is default)
For each request you need to set the cookie with the updated time(current_timestamp+'1 hour'), it will tell browser keep the cookie for next 1 hour.
Beside the cookie, you need to check the integrity of the cookie and the session, simply track the cookie integrity with the session(maybe a hash), it helps you when a user tries to fool your server, by providing cookie A from user A by session user B.
strong textI am new, need a proper way to validate. I followed
5 line code. it doent have a httpsession but still going to appointment.jsp . why so?
I followed How to check if session exists or not?
it is giving a session. org.apache.catalina.session.StandardSessionFacade#3b59e880 but the user is not login in...
it does. but I dont know why and how it got one?
if (request.getSession(false) == null) {
request.getServletContext().getRequestDispatcher("/login.jsp").forward(request, response);
} else if (request.getSession(false) != null) {
request.getServletContext().getRequestDispatcher("/appointment.jsp").forward(request, response);
}
Session is not created after your user logs in, It is created at the first request to the container from a browser. This enables container to track subsequent requests from same browser. This is implemented usually using a cookie with unique id(session id).
So even it depends on what is happening at user logout? are you calling session.invalidate().
We cant say a user as authenticated just because session object is not null.
There will always be a HttpSession object (ok, not always, but most of the time) - this is not an indicator for an authenticated user.
You need to set a session attribute eg. "authenticated" to flag this session as authenticated or not.
You can add this by calling request.getSession().setAttribute(...)
By default, a JSP will create a session. You probably don't want that behavior for your login page, so use the page directive in login.jsp:
<%# page session="false" %>
You would also need to make sure that any other JSP that is accessed before a successful login does not create a session.
if (request.getSession(false).getAttribute("userLoggedIn") != null ) {
if((Boolean)request.getSession(false).getAttribute("userLoggedIn") ) {
request.getServletContext().getRequestDispatcher("/appointment.jsp").forward(request, response);
}
} else {
request.getServletContext().getRequestDispatcher("/login.jsp").forward(request, response);
}
I am using the following code to delivery the user to a Welcome page if they are already logged in, or back to the login page if they are not.
HttpSession session = request.getSession(false);
if(session == null){
request.getRequestDispatcher("/WEB-INF/login.jsp").forward(request, response);
}else{
//User already logged in. Send to home.
response.sendRedirect("Welcome");
}
First time around, it works fine, but if I reload the page even once it sends the user to the welcome page and inevitably sends me back a 500 error because there are elements on that page that cannot be loaded because the user log in code has not been executed.
Does a session get started automatically even if request.getSession(true) is not declared when a page is reloaded? Is there a way to prevent this?
Probably the session is being created upon forwarding to login.jsp. That's necessary because the user has to be assigned to an unauthenticated request and then authenticate it. If you want to redirect based on whether the user is logged in or not, use SessionContext's getCallerPrincipal.
For more info, check this (somewhat old, but still relevant) article
The method request.getSession(false) returns null if there is no current session. I suggest to compare a key too.
Please take a look at this threads.
Do JSPs always create a session?
How do servlets work? Instantiation, session variables and multithreading
I need to implement a simple remember me option in a java servlet with cookies, without using any advanced framework.
First, at login, I create the cookie and send it in response to the browser (client). The value to be stored in the cookie is just a simple hash from username + password.
How should I manage the incoming request from the browser, sending the cookie?
My approach is to check between registered users if there is any user that has the hash from username + password equal to the value in the cookie?
Is this approach correct?
Also, I did not understand exactly what is the mechanism of the expiration date. Does the browser delete the cookie when it is expired, it not, how do I check if the cookie is expired?
As long as you're not using HTTPS the method you suggest is highly insecure. I would suggest to generate some sort of session token (e.g. use java.util.UUID.randomUUID()) and set this as cookie and store it somewhere on the server side so you later can identify the user associated with this session id in the cookie.
This gives you the opportunity to reset a certain session cookie if you think there's some fraud happening and there's no direct relation between the user name/password and the cookie id you use. But note: this method is still vulnerable to a man-in-the-middle attack.
Concerning the expiration: yes the cookie becomes invalid and might get deleted by the browser if it is expired. But you can set the cookie to something in the year 3000, so it lives forever.
Is there a way to have access to session in a AJAX call made to a JAVA server.
On the server, the request object has both the session and cookies properties NULL.
I can pass though the session id as a parameter, but how can I access the session by ID?
Edit
Using session.getSession(false); returns null, while session.getSession(true); obviously returns a new session, with another id.
The best way to deal with this is to append ";jsessionid=" at the end of the url. For instance, in a jsp:
<script type="text/javascript">
...
xhr.open("GET", url + ";jsessionid=<%=pageContext.getSession().getId()%>");
...
</script>
The line:
xhr.open("GET", url + ";jsessionid=<%=pageContext.getSession().getId()%>");
is rendered as:
xhr.open("GET", url + ";jsessionid=6EBA4F94838796DC6D653DCA1DD06373");
It sounds like you don't have a session!
Make sure when the load containing the AJAX script, the session is created on the server.
session.getSession(true);
If this is stored as a cookie, then your AJAX call will submit it back to the server when it fires.
In order to access the session you do not need the session id. This is all done for you behind the scenes by your servlet container. To get the session for a particluar request all you need to do is:
HttpSession session = request.getSession(false);
where request is your HttpServletRequest. The false arg means "do not create session if it does not exist". Of course use "true" if you want the session to be created if it doesn't exist.