I am looking for the default codebase for creating jsessionids. It may vary from instance to instance, but I can't seem to find it on the net, just explanations of how to change/set it.
Thanks
JSESSIONID cookie is created/sent when session is created. Session is created when your code calls request.getSession() or request.getSession(true) for the first time. If you just want get session, but not create it if it doesn't exists, use request.getSession(false) -- this will return you a session or null. In this case, new session is not created, and JSESSIONID cookie is not sent. (This also means that session isn't necessarily created on first request... you and your code is in control when the session is created)
Sessions are per-context:
SRV.7.3 Session Scope
HttpSession objects must be scoped at the application (or servlet context) level. The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container.
Related
I am trying to implement security for my project that prevents session fixation.
As i have no access to the component (a filter from a certain library, lets call it MagicFilter) that handles the whole session-creation and validation, i was trying to find out another way of possibly doing it.
Now, consider this scenario for my session:
User requests the login-page
MagicFilter sets a cookie with a JSESSIONID etc
other filters do some work ...
Java Spring MVC, so as last step before the user sees the LoginView i have access to stuff in my LoginController. Here i .invalidate() the session right before i return the view.
So basically the user never has a real and valid session-ID while at the login-page. Only after he logs in the MagicFilter assigns another session-ID which will then be sticked to, as i only invalide() the session-ID in my LoginController.
But this feels very rough and i kind of had to "hack" around the automatic process of the MagicFilter.
Can anyone see if this should be safe in terms of session fixation or not?
I have a JSF 2.0 application, let's call it "MyApp", with a SessionScoped bean that uses the below code to get the session and set the path on init...
HttpServletRequest request = (HttpServletRequest)FacesContext.getCurrentInstance().getExternalContext().getRequest(); //Get request from external context
HttpSession session = request.getSession(false); //Get session and don't create one if it doesn't exist
session.getServletContext().getSessionCookieConfig().setPath(""); //Set the path in the session's cookie
My problem is that the updated path ("") doesn't show up in the response session cookie, JSESSIONID, until the second request to the application. The first request gets a JSESSIONID cookie in the response with the default path, which includes the application's root context ("/MyApp"). If I reload the page, this second request will get a response with a JSESSIONID cookie that includes the updated path ("").
I can't seem to find any documentation on when the default JSESSIONID cookie is created and added to the response. I'm not sure if the updated session path is being set in the first response's JSESSIONID cookie or if it's being set and overridden by the page's default JSESSIONID cookie.
Questions:
When does the default JSESSIONID cookie get added to the response?
Is it possible to disable the page's default JSESSIONID cookie from being created?
When does the default JSESSIONID cookie get added to the response?
When the HTTP session is created for the first time. E.g. when JSF needs to put a newly created session scoped bean in there. So if you're writing some code in such a bean which should manipulate the session, then you're basically already too late.
Your code snippet is also a strong evidence for it. If the session was really not created, then request.getSession(false) would have returned null and subsequently, calling session.getServletContext() would have thrown a NullPointerException and you'd have asked a very different question.
Is it possible to disable the page's default JSESSIONID cookie from being created?
I believe you're asking the wrong question. You actually want to ask how to set the session cookie path the right way.
You're supposed to configure the session cookie path in web.xml as below:
<session-config>
<cookie-config>
<path>/</path>
</cookie-config>
</session-config>
If you really intend to do it programmatically for some unclear reason which is not elaborated in the question, then you should be doing this before the HTTP session is created for the first time. In other words, you should absolutely not be doing this in a session scoped JSF managed bean, nor be grabbing the needed ServletContext from the HttpSession itself.
Most sensible place would be a servlet context listener or, if you really need it to be "JSF-ish", then an eagerly initialized application scoped bean. Please note that this is an application-wide setting, not a session-wide setting. It being a property of ServletContext (and not of HttpSession) already hints that. Thus, once you set it, it affects all newly created session cookies. Depending on the concrete functional requirement which you told nothing about, there may be better ways. E.g. an additional cookie.
Is there any good reason not to simply destroy the HTTP session like:
FacesContext facesContext = FacesContext.getCurrentInstance();
HttpSession session = (HttpSession) facesContext.getExternalContext().getSession(false);
session.invalidate();
instead of just deauthenticating the user and make sure to clean user data from the session scoped beans?
You have to do both. Deauthenticating the user can depend on your implementation. If you call out to a third party system to obtain a security token for a user, chances are you have to call back again to invalidate the token.
You also have to invalidate the HttpSession. Invalidating the session will release all session scoped beans. It also releases JSF view states and component trees for pages visited during the user's session. These can make the session sizeable and not invalidating will leave the heap full of sessions waiting to timeout and that have a negative impact on the server's capacity.
BTW, you can invalidate the session without the need to obtain the HttpSession, like so:
FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
Find the answer in Oracle documentation:
The session.invalidate() method, which is often used to log out a
user, only invalidates the current session for a user—the user's
authentication information still remains valid and is stored in the
context of the server or virtual host. If the server or virtual host
is hosting only one Web application, the session.invalidate() method,
in effect, logs out the user.
http://docs.oracle.com/cd/E11035_01/wls100/webapp/sessions.html#wp150374
I am Switching between two different Dynamic web application through Links.But if i am working on one application for long time then others application session expires and i got redirected to login page, Is there any method to keep session alive beyond maxInactive time interval while i am working on other application page
There are two options-
If both applications requires single sign on feature (like we login to gmail, then all google services are accessible), you can use tomcat clustering and share session accross cluster. Both your apps will be part of the cluster.
A simple work aroud would be to set a heartbeat ajax request in each application. Use JavaScript's timeout function and send ajax request to servlet after a fix interval.
You can anyway update MaxInactiveInterval of server at runtime, there is this method setMaxInactiveInterval available for HTTPsession class object.
Hope this helps. :)
I can think of one option here that is to manage your own Session Pool. You can save the session object in ArrayList<HttpSession> whenever you create new session. And send that session id to your another application. When you return to previous app, you send back session id. And if you find session dead then find that session in your Session Pool by session id and create new session. In new session set attributes of the previous session object.
Hope this might be useful.
According to the standard 2.4 documentation, the security.yml config file allows for the following configuration option:
session_fixation_strategy: none | migrate | invalidate
source: http://symfony.com/doc/current/reference/configuration/security.html
However, I fail to find any details in the official documentation (or elsewhere) on what this option actually does, or how it works in practice.
So, if I set this option to either "migrate" or "invalidate", how will this affect session handling in my system? For example, if I set it to "invalidate", would this mean that a context-local session is invalidated when the user navigates to a different security context?
In short:
NONE: the session is not changed
MIGRATE: the session id is updated, attributes are kept
INVALIDATE: the session id is updated, attributes are lost
In detail:
None strategy:
Nothing is (supposed to be) done in the default session implementation, thus the session is maintained from one context to the other.
Migrate strategy:
"Migrates the current session to a new session id while maintaining all session attributes."
(The session storage should regenerate the current session.)
"Regenerates id that represents this storage.
This method must invoke session_regenerate_id($destroy) unless this interface is used for a storage object designed for unit or functional testing where a real PHP session would interfere with testing. Note regenerate+destroy should not clear the session data in memory only delete the session data from persistent storage."
Thus the session is retained from one context to the other.
Invalidate strategy:
"Clears all session attributes and flashes and regenerates the session and deletes the old session from persistence."
Thus the session is regenerated from one context to the other.
It was not revealed by your question what kind of session data you are trying to fetch.
But in any case, no separate session is generated for different security contexts:
http://symfony.com/doc/current/reference/configuration/security.html#firewall-context
Security (authentication) related data is stored under a separate key (based on the firewall name). So for example if you have a firewall with a name 'main', the authentication token will be stored under '_security_main', if you have a firewall (a separate context) with a name 'foo', the user and related token data will be stored under '_security_foo', etc.
So besides ->getToken ->getUser (etc.) the rest of the session variables will be available in different contexts provided you use the 'none' or the 'migrate' session strategies.
Take a look at the session interface for details (quotes are from these files)
vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Session/SessionInterface.php
And the default implementation:
vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Session/Session.php