I developed the webapplication with Struts2.after logging to the my application copy the url and paste to the same browser with different tab then its going to directly without restrict.in that situation i want restrict it.
but same url copy and paste to another browser its working fine .only same browser and different Tab then only problem
This is because your browser has stored your login authentication in the session. It will remember this until you either
Close all windows of the browser or
Choose New Session from the menu
If your question is about your development cycle take a look op answer of #Keppil.
If however you are asking about real user experience this is more complicated. Browser indeed remembers your session ID in cookie and sends it on each request. To override this mechanism you can create your own tokens that will be always appended to URL.
When token is supplied it should send redirect response to URL without token.
The server side should throw user to login screen every time the token is not supplied and the request is not from redirect.
I have never tried to do this and I am not sure you really want to implement this. The ability of browser to connect to same session even if user opens another tab or browser window is very convenient and widely applicable.
Related
I have java web application using struts 1.x. Recently my application has gone through penetration testing and our testers found some security holes. Let me explain. In my application i have 2 users called ‘Admin’ and ‘user’. First our PenTester logged to my application as ‘Admin’ and they use ‘Burp tool’ to intercept the request and copy the whole request content into notepad and then forward the request. Now My application log in as ‘Admin’. They use another browser instance to login as “user” and use burp tool to intercept the request. This time they removed the whole request content and copy back the whole request content of ‘Admin’ and then forward the request. Now my application logged in as ‘Admin’ without asking any user id/password? How to restrict this situation? I already stored userid in my session variable after successful login of each user. The moment they intercept the request and copy the ‘admin’ request content, my session variable userid also changed to ‘admin’. How to validate this situation? Your help is really appreciated.
That is not really that much of an issue since the first part "copy the whole request content" is not easily doable if you have a proper HTTPS / SSL connection. That only works if the PC the user is logged in on as an admin is compromised in which case: nothing you can do about it anyway because they can just sniff the keystrokes and get the plain password.
If on the other hand you communicate without the S, namely just HTTP then the solution is: get a certificate and switch to HTTPS.
Apart from that your application can pin a session to an IP which means if the session id / cookie is stolen and someone else uses it you can detect an IP mismatch and ask for credentials again.
To prevent direct replay attacks like copying the request and sending it again you can introduce a hash that incorporates the timestamp or alternative measures, see. How do I prevent replay attacks? . The problem however is that copying the entire request means copying the cookies as well and if the "admin" cookie is copied this measure will not prevent you from "generating" a new hash based on the now admin user.
I have a bit strange requirement. My application is written is jsp and server is tomcat 7. I am using form-based authentication. Here is my problem description.
Let's say I am logged in to my application in one of the IE browser tab. Now, I open a new tab and click the bookmarked application URL. As expected since I was already logged in and browser session is detected, instead of landing to login page, the application directly lands to status home page.
The requirement is that even if user is logged in one of the browser tab and valid browser session is available, the user should always be navigated to login page rather than directly landing to home page when tried to login in another browser tab.
Appreciated for quick help.
I do not think your client fully understands what they are asking of you.
Imagine we could invent something quite nasty in javascript or with referer header, or something like that, in order to achieve what they want. What if your user entered then different credentials in your tab #2? Is your client aware that the session open in tab #1 is the same for both of them?
Make them understand they are trying to override a basic behavior of web browsers, and even if they did it would be useless. Besides that, from a usability point of view, it would harm your application, since it would trick naive users into thinking they can open many sessions in the same browser instance... good luck!
Have the domain name (assuming that is the URL that is book marked) redirect to the login page and ensure this page is displayed even if the user is already logged in.
Then, if necessary (if they currently use a URL that's just your domain name) change your 'home' link, logo link etc to the URL of your home page.
As the title said, I want to remove the cookies when I close a window. I know of the methods for cookies like Cookies.removeCookie(Constants.XXX); And also of cookie.setMaxAge(0);
for removing cookies. But that is done on clicking logout.
I want to remove cookies on window close or when application has stopped running. Because whenever, I am debugging the application, whenever I rerun the application, I see the cookie is still there even though I am not logged in, and the session has not started for the user. So there is a conflict, where the cookie is already set even though, the user has still not logged in !
Its a GWT Application.
First of all, it's important to differentiate between a cookie on the client side, and a session on the server side (I think you already knew that).
Usually, for a clean logout, you'll want to call session.invalidate() on the servers side, and Cookies.removeCookie(...) on the client side.
But not every 'logout' is clean:
The logout request may not make it to the server
The browser may crash even before you call removeCookie - so any attempt to remove a cookie on window close will be unreliable
On the server side, you can use timeouts (see the link provided by #thinksteep: How we call logout servlet on browser close event).
For the client side cookie, you can set an expiryDate/maxAge. Or you can use "session cookies": These are the cookies where you don't set expiry or maxAge at all. Most browsers will delete "session cookies" automatically when the browser restarts - but please see Firefox session cookies.
All of this may mean, that cookies are maybe not the best technology for your use case: In general, a cookie is by design available in all browser tabs, and the concept of a browser session doesn't even always end, when the browser/window closes (what would it mean on a smartphone anyway?). This is desirable for many current web sites (users don't have to log in explicitly every time), and many users have come to expect this kind of behavior.
For sites that want a "one tab = one session" policy, it's possibly better to store a token e.g. in a Javascript (or GWT) object, and send it with every request. This way, you can log in separately - even as different users - from multiple browser tabs, and once a tab closes, the token is gone. Please note, that a tab may still get restored by the browser on session restore. (I would always combine this technique with a httponly cookie, to avoid certain kinds of attacks.)
What is the best approach to ensure that a specific page (assume a single-page Web application) is open only in one browser tab?
Assume the Java Web app has authentication, i.e. user has to sign in (so we can identify which page is being viewed by which user via Java Session API).
The intention is that if another tab is opened for the same URL, the user will be redirected to a static page that tells him he has the application open somewhere else (another tab).
My current approach fails to work for tabs in the same browser, since JSESSIONID is stored in cookies, that are available for all browser's tabs.
I assume your current use case is this:
The user opens a browser tab, loads your application page and logs in.
The user then opens a second browser tab, loads your application page and is already logged in (because the browser has the same session cookies for all tabs or windows).
And you want to restrict the user so that if when they load the second tab, the instead see a warning message saying: You have already logged into this site elsewhere, please use that window, or if you no longer have that window open, click here to logout and log back in again.
Most solutions will involve keeping a one time token for the instance of the application along with the session. If your application loads up in a single page and presents the user with a login box then when the user logs in you could send the one time token, store it in a javascript variable and send it with all server requests.
If the user then loads up the application in a new tab, they request their initial data and the server can generate a response saying that the token is not present and they need to logout, close the window or switch to the already logged in window.
So the answer is baically that you want to store a random string in your session on the server, serve it to the user on login and check that every request has it otherwise bounce them to a logout page. And in the javascript of the web client, store that token and send it with every request to the server.
You can create an asynchron call to the backend (keyword: long time polling) and send single bytes through it to keep it alive. As long as it is alive, the tab is open. If a second call comes in you can test on that.
What is the best way to keep the same session when you open the same java webapp in another tab in the browser with passing parameters like username/password in most secured way.
The purpose behind is to navigate the webapp to next navigation page after doing some request to some service.
I am doing it at the client side.
This is a thought coming to my mind right now:
To add the parameters in the URL (not secure)
.....
In your server you can check if the incoming request has a valid session or not, if it has a valid session, retrieve the username or similar identifier from the session.
Depending upon the user you can show him/her the home page which they will enter if they had actually logged in the system.
If you want to show response based on the last action, then you can have the last action as part of your session and rules on your server which should fetch the correct page depending upon the last action.
For e.g. gmail will always show you the inbox if you have a valid session in one tab and you again open gmail in another tab.
If this is handled at the server level it is highly secure as you there is no need to append, send user credentials.