Session Fixation and How to Fix It
These last few weeks, I’ve been tasked to fix a number of security holes in our software. Since I’m not a security expert, I’ve been extremely interested in this, and have learned quite a few things. Among them is the Session Fixation attack.
The context is an online Java application. One part is avalailable through simple HTTP, where you can do simple browsing; when you enter credentials and successfully log in, you’re switched to HTTPS. This is a very common setup found online. For example, Amazon works this way: you browse the product catalog and put products in your basket in HTTP, but as soon as you login to checkout, you’re switched to HTTPS.
Now, the attack scenario is the following:
- Alice visits this online application and gets the value of the
JSESSIONIDcookie returned by the server
- Alice crafts a link to the application, including the previous
- Alice sends the link to Bob
- Bob clicks on the link sent (rather stupidly, I’d say) or copies the link to his browser (the result is the same)
- In the same session, Bob enters his credentials to enter the secured part of the application. He’s now authentified within the session referenced by the
JSESSIONIDsent by Alice
- Using the
JSESSIONIDsent in her own browser, Alice is able to operate the application with the same credentials as Bob
Wow! If the site is an online banking site, this is extremely serious, giving potential attackers access to your bank account. This issue is known as Session Fixation and is referenced by OWASP.
Though we can require users not to click on links sent by emails, that’s a request for “aware” users, not everyone’s grandmother. We definitely need a more robust solution. The proposed remediation is quite easy to design: when the user switches from HTTP to HTTPS, he’s sent another JSESSIONID. Basically, his old session is destroyed, and a new one is created with all attributes of his former session.
It is possible to implement this behavior. However, if one is using Spring Security, it’s available out of the box through the
SessionFixationProtectionStrategy class. Just plug it into the
Beware, most examples available on the Web only show usage of the strategy for session management!
Better yet, using JavaConfig and the
WebSecurityConfigurerAdapter, it is configured out-of-the-box. Here’s an example of such configuration, with the strategy already configured:
// Creates a simple principal in memory
// Requires user to have USER role
// Requires channel to be HTTPS
// Dont forget a simple form login!
Get the sample project - it is also a good template project for Spring MVC & Spring Security with JavaConfig, and check the
JSESSIONID cookie value changed.
Note: you’ll need a SSL-enabled servlet container.