Here's the scenario:
Login as User A - Sets a JSESSIONID cookie
Logout
Login as User B - Attempts to overwrite the JSESSIONID in IE with the new one
Subsequent calls to the server no longer have a JSESSIONID cookie sent in the headers
Here is what the traffic looks like:
Here is what it looks like when the 2nd login attempts to "overwrite" the JSESSIONID cookie
You can see here that the "old" JSESSIONID ("DSE6...") was Sent to the server, but that the "new" JSESSIONID ("CD26...") was Received.
A few other details:
Tomcat 7.x is on the server-side
Using httpOnly, secure cookies
This is ONLY an issue in IE; everything works fine in Chrome and FF
So the question is: why is IE forgetting the JSESSIONID when the server attempts to overwrite it?
Related
I have the web application. I deploy it into jetty container.
After browser restart it looses jsession id although session alive on server and redirect me to login page.
In browser I see following cookies:
How to know current jsessionId cookie type ?
Can I change cookie type to resolve my issue?
How to change jsessionId cookie type ?
Which type would be proper at this case ?
Your session is not deleted until its expire time on the server side.
However, your "browsing session" ends when you restart your browser. Therefore your browser deletes all session based cookies, including the one grabbed from your website. As as result, you lose your old session and forced to start new session.
Check this out:
What is the best way to implement "remember me" for a website?
The cookie that identifies your session is JSESSIONID. See that expires attribute for that cookie is Session which means that the browser will forget it when you close it. You need to make the server set expires attribute for the cookie, that is login response should contain header similar to:
Set-Cookie: JSESSIONID=<id>; expires=Tuesday, 05-Nov-2004 08:30:09 GMT; ...
Read documentation for your authentication library to find out how to do that.
My application is running in jboss 7 and the sessions are being maintained by using the jsessionid cookie, which is marked secure and httponly. But even with this, if I am able to get any user's jsessionid cookie value, I will be able to spoof as the user. Is there any way to prevent this?
When you have a session for a user on your server, you need to match a request from a user to its session, it's the goal of the JSESSIONID cookie.
This is why you need to secure it by adding "secure" (this cookie will only be sent over https to prevent network sniffing) and "HttpOnly" (to disable access to this cookie by client javascript code) options.
You can add other mitigation methods by checking change in user's IP address (but will break 3G/WIFI change for legit users), user agent string, ...
But in practice, if you have access to the JSESSIONID cookie you can have access to these data too.
You can take a look at OWASP Session Management Cheat Sheet for more :
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
i am setting cookie SPRING_SECURITY_REMEMBER_ME_COOKIE to null when user logs out.
Cookie cookie = new Cookie(cookieName, null);
String cookiePath = request.getContextPath();
cookie.setPath(cookiePath);
cookie.setMaxAge(0);
response.addCookie(cookie);
above code working fine in my localhost, when i moved to cloud server, the above code doesn't works, it is not removing the cookie while logging off. there is no difference other than domain forwarding.
It may or may not be your case, but there is a similar issue regarding the removal of JSESSIONID cookies. Take a look here:
Spring Security - Session Management
navigating to spring security login page redirects to invalid-session-url
The same thing may be happening to the Remember-Me cookie. Check the 'Set-Cookie' headers when you log out of your system (Firebug is enough for this): if the 'path' does not match the path for the stored cookie (created when accessing the login page), then you may have this issue on your environment. In this case, you could create a custom CookieClearingLogoutHandler to properly clean the cookies.
I am stuck with a jsession id problem. I am using Tomcat 7, Spring framework 3.1.1, security with Spring Security.
Our application has a login page with an url like : defaultSubdomain.theSite.com/login.html. Some of our users have their own subdomains, so their login page url are : subdomainForUser.theSite.com/login.html.
The problem is, if one of them use the default login url :
he will be log in, an HttpSession will be created on the server and a JSESSIONID cookie will be created on defaultSubdomain.theSite.com on client, then
our server makes the browser redirect to the welcome page of user's subdomain and makes the browser recreate the JSESSIONID cookie with javascript.
In a filter:
//if client is on the wrong subdomain
HttpServletResponse.sendRedirect(url);
return;
But after that, client still needs to log in again. Is there any way to achieve what I try to do (with a coding approach and not configuring tomcat)?
I made some research and we could use
<Context sessionCookieDomain=".theSite.com" sessionCookiePath="/">
but it implies having one configuration for dev, one for test and one for prod which is not acceptable.
Thanks!
What are the reason that Glassfish resorts to URL rewriting when I am using the latest Chrome browser and logging in to the application without having turned off cookies? Anything I have forgotten to configure or what? It happens randomly.
The JSESSIONID is the value that determines the current HTTP session for the user. It is typically stored in a browser cookie (named JSESSIONID) to connect requests with the appropriate session object on the server.
The reason why the JSESSIONID is not present in the original request is probably because the server has not had the opportunity to send it back to the browser. Any links on a page (using c:url, for example) without a current JSESSIONID cookie will be generated using URL rewriting (the URL will contain the jsessionid). On subsequnt requests, after the JSESSIONID has been stored as a browser cookie, the URL rewrite does not happen.
If the user's browser does not support cookies (or the use of cookies has been turned off) the URL rewriting will allow the user to keep connecting to the same session by the jsessionid added to each URL.
However, if you want to turn off the URL rewriting, you can do this by setting the enableURLRewriting property to false, in the glassfish-web.xml file
<property name="enableURLRewriting" value="false"/>
You may also have luck removing the URL rewrite by ensuring that the appropriate cookie exists and redirecting to a more appropriate URL.