I am testing a Liferay application, and I am trying to figure out, how the session mechanism works. I couldn't find any good references on that. I need to know how valid sessions are distinguished from invalid sessions.
Sessions are managed by the application servers. If the browser request contains a valid session id, it will be recognized. If it doesn't, it won't.
Related
I read sessions and security questions on stackoverflow, and much beyond. I think I know the answer, but I want to confirm it with one concise simple question--security is too important.
Conjecture: My black hat web visitor does not have direct access to his $_SESSION contents.
that is, after my server executes
$_SESSION['myuserprivilege']='user' ;
I can assume that even the most clever blackhat cannot somehow find out even that my code did this, interrogate to what my php program set his server $_SESSION to (both keys and contents), or (much worse) engineer $_SESSION['myuserprivilege'] = 'admin'. only my own server php code can do so.
I still have to be concerned that a blackhat can steal the cookie of a different admin user ( => https and session rotation). but that's a different issue.
correct?
The values of the session are stored in your server, not in the user machine. So, no... No one can see or set that value without access to your server or any security problem in your code. It's like money in a safe, only who have access can get it or if the safe isn't secure enough.
And about cookie stealing, this is called session hijacking. It's common tecnique used to steal a session from another user. You can get more information here.
Basically if a person get the id of the session of a logged admin and the application doesn't have any approach to avoid this kind of situation, this person can have access to that user privileges.
Anyone can set a cookie in your website, but sessions has one thing called "PHP Session ID", so to get some value from a session, this person need to know a valid session id that have privileges to some part of application.
Session routation is not a problem, the chances to get some session from anyone that have this privileges is really, really hard. You also can use more characters in your session to make it more harder, but o don't think it's necessary.
Final answer: No one cannot set a session in our website, just who has access do the code and your server can do it.
I'm troubleshooting an issue with a server instance that I need to do some root cause analysis and right now I believe the driver is Express Sessions.
I've implemented sessions as a primary intra-page data storage mechanism, but it seems that sessions are not unique to the visitor relationship.
By this I mean that I have a session that prefills a form on a "shipping information" page. However, if I visit this page from other browsers or other machines the detail from the first session created on server start is prefilled as if the session data is bleeding into these other browser relationships.
So, I'm trying to understand if the intention for sessions is that they are unique to the visitor by default. If not, can they be made to be unique?
I'm especially worried because admin authentication is also done via sessions.
Yes they are unique to visitor, it sounds as if your code is setting some global state, and not sessions. You may want to post the config you are using, plus where you are setting session vars.
First, i know that there are to components of handling user access to restricted pages in web appliations.
Authentification is about identifying a user.
Authorization: is about determining what parts of the application an authenticated user has access to
I belive this is made with session id.
But does the client have to send the session id with every request he makes? If not how can he be authentified? Or is a cookie used for this?
Sessions exist on the server. They are sometimes (usually) identified by a cookie.
The session can contain a multitude of information that is relevant to the session. E.g. shopping basket.
Server gets the cookie. Looks up the session. Has it timed out? Is it from the same IP address? From the same browser perhaps? Then use the stored information for the generation of the web page
Session still among pages, but it would be destroyed when you close your browser
Cookies still sometime when the time expires
I have two different applications running on the same server, one is Java-based running in Tomcat with spring-social and spring-security, and the other is a NodeJS application using PassportJS as security framework.
Both apps are configured to access using Google OAuth2 with the same clientId/secret, so I can login with my google account in each of them. But if I change from one of them to another, I need to login again, because the session doesn't exist on the other app.
I'm looking at the session cookies, the Java app creates the JSESSIONID cookie whereas the Node app creates a "connect.sid" cookie. Maybe I could create a session in each app everytime a user do a login? Or I have to deal with OAuth tokens?
Please, could you point me in the right direction? Should I use another library/framework?
Thank you in advance.
This might be of help; it looks like it's relatively easy to change the name of the cookie for Express/Connect. The question then just becomes whether the contents of JSESSIONID and connect.sid are in fact the same.
If you put sit Paros on the traffic between your browser and a web application being hosted in WebSphere, you will have two session identifiers passed as part of the cookie section of the HTTP request:
A JSESSIONID. This is your HTTPSession ID as far as I can tell.
An LTPA2 token. This is your “single sign on” session as far as websphere is concerned.
Now, IBM say that a single hosted application cannot invalidate the LTPA2 token when a user is signing out. The thinking behind this is that it is an SSO identifier, so a single application should not be able to invalidate it as it is intended for use across multiple applications. There is no configuration in WAS to declare “this environment hosts only one application so therefore that app can invalidate the LTPA2 token”.
What is worrying is that these LTPA2 sessions hang around for a configurable amount of time. Therefore, if another user got a handle on a users’ LTPA2 token, they can use it to access that users’ session and therefore their sensitive data.
You can prevent a man in the middle attack to capture the session value by forcing the transmission of the cookie to occur over SSL, and by specifying HTTP only for cookies. However, I am still worried about the cookie being available on the local machines’ hard drive. The browser has to store it somewhere, so therefore there has got to be a way to get access to it?
My question is, is it possible for someone to get an LTPA2 value such as this from the hard drive? Say someone sits down in a library, signs in to their online banking, does some work and then logs out. Is it possible for the next user to get the LTPA2 token somehow?
I tried searching through the directories where I thought FireFox 4 and IE8 would store the cookie, but couldn’t pattern match the value. My gut instinct is that it may be possible to find this data on certain browsers?
By default the LTPA2 token is a "Session Cookie" Websphere does not set an expiry on that cookie, and it is just stored in Browser Memory until the user closes their browser.
Unless your client is explicitly manually pulling that cookie and storing it client side, it will not be stored in any files on the user's machine.
You can invalidate the LTPA token if you want to.
But this would require using IBM extensions (naturally)
Look at these:
(a) http://www.ibm.com/developerworks/websphere/techjournal/1003_botzum/1003_botzum.html
LTPA token is non-standard, but is simply a credential/token and does not impact the application development team.
Redirects to the ibm_security_logout URL in order to remove the LTPA token when users log out.
(b) ftp://ftp.software.ibm.com/software/dw/wes/0409_botzum/WAS-511-Security-AdvancedTopics.pdf
Though these articles are old, these should still work (as these basics haven't changed a lot over the years)
By invalidating the LTPA token(which as Terrell mentioned in a "in memory session cookie" )all your worries that you had should be gone.
HTH
Manglu