What is the best way to keep the same session when you open the same java webapp in another tab in the browser with passing parameters like username/password in most secured way.
The purpose behind is to navigate the webapp to next navigation page after doing some request to some service.
I am doing it at the client side.
This is a thought coming to my mind right now:
To add the parameters in the URL (not secure)
.....
In your server you can check if the incoming request has a valid session or not, if it has a valid session, retrieve the username or similar identifier from the session.
Depending upon the user you can show him/her the home page which they will enter if they had actually logged in the system.
If you want to show response based on the last action, then you can have the last action as part of your session and rules on your server which should fetch the correct page depending upon the last action.
For e.g. gmail will always show you the inbox if you have a valid session in one tab and you again open gmail in another tab.
If this is handled at the server level it is highly secure as you there is no need to append, send user credentials.
Related
I have java web application using struts 1.x. Recently my application has gone through penetration testing and our testers found some security holes. Let me explain. In my application i have 2 users called ‘Admin’ and ‘user’. First our PenTester logged to my application as ‘Admin’ and they use ‘Burp tool’ to intercept the request and copy the whole request content into notepad and then forward the request. Now My application log in as ‘Admin’. They use another browser instance to login as “user” and use burp tool to intercept the request. This time they removed the whole request content and copy back the whole request content of ‘Admin’ and then forward the request. Now my application logged in as ‘Admin’ without asking any user id/password? How to restrict this situation? I already stored userid in my session variable after successful login of each user. The moment they intercept the request and copy the ‘admin’ request content, my session variable userid also changed to ‘admin’. How to validate this situation? Your help is really appreciated.
That is not really that much of an issue since the first part "copy the whole request content" is not easily doable if you have a proper HTTPS / SSL connection. That only works if the PC the user is logged in on as an admin is compromised in which case: nothing you can do about it anyway because they can just sniff the keystrokes and get the plain password.
If on the other hand you communicate without the S, namely just HTTP then the solution is: get a certificate and switch to HTTPS.
Apart from that your application can pin a session to an IP which means if the session id / cookie is stolen and someone else uses it you can detect an IP mismatch and ask for credentials again.
To prevent direct replay attacks like copying the request and sending it again you can introduce a hash that incorporates the timestamp or alternative measures, see. How do I prevent replay attacks? . The problem however is that copying the entire request means copying the cookies as well and if the "admin" cookie is copied this measure will not prevent you from "generating" a new hash based on the now admin user.
I have a bit strange requirement. My application is written is jsp and server is tomcat 7. I am using form-based authentication. Here is my problem description.
Let's say I am logged in to my application in one of the IE browser tab. Now, I open a new tab and click the bookmarked application URL. As expected since I was already logged in and browser session is detected, instead of landing to login page, the application directly lands to status home page.
The requirement is that even if user is logged in one of the browser tab and valid browser session is available, the user should always be navigated to login page rather than directly landing to home page when tried to login in another browser tab.
Appreciated for quick help.
I do not think your client fully understands what they are asking of you.
Imagine we could invent something quite nasty in javascript or with referer header, or something like that, in order to achieve what they want. What if your user entered then different credentials in your tab #2? Is your client aware that the session open in tab #1 is the same for both of them?
Make them understand they are trying to override a basic behavior of web browsers, and even if they did it would be useless. Besides that, from a usability point of view, it would harm your application, since it would trick naive users into thinking they can open many sessions in the same browser instance... good luck!
Have the domain name (assuming that is the URL that is book marked) redirect to the login page and ensure this page is displayed even if the user is already logged in.
Then, if necessary (if they currently use a URL that's just your domain name) change your 'home' link, logo link etc to the URL of your home page.
What is the best approach to ensure that a specific page (assume a single-page Web application) is open only in one browser tab?
Assume the Java Web app has authentication, i.e. user has to sign in (so we can identify which page is being viewed by which user via Java Session API).
The intention is that if another tab is opened for the same URL, the user will be redirected to a static page that tells him he has the application open somewhere else (another tab).
My current approach fails to work for tabs in the same browser, since JSESSIONID is stored in cookies, that are available for all browser's tabs.
I assume your current use case is this:
The user opens a browser tab, loads your application page and logs in.
The user then opens a second browser tab, loads your application page and is already logged in (because the browser has the same session cookies for all tabs or windows).
And you want to restrict the user so that if when they load the second tab, the instead see a warning message saying: You have already logged into this site elsewhere, please use that window, or if you no longer have that window open, click here to logout and log back in again.
Most solutions will involve keeping a one time token for the instance of the application along with the session. If your application loads up in a single page and presents the user with a login box then when the user logs in you could send the one time token, store it in a javascript variable and send it with all server requests.
If the user then loads up the application in a new tab, they request their initial data and the server can generate a response saying that the token is not present and they need to logout, close the window or switch to the already logged in window.
So the answer is baically that you want to store a random string in your session on the server, serve it to the user on login and check that every request has it otherwise bounce them to a logout page. And in the javascript of the web client, store that token and send it with every request to the server.
You can create an asynchron call to the backend (keyword: long time polling) and send single bytes through it to keep it alive. As long as it is alive, the tab is open. If a second call comes in you can test on that.
I developed the webapplication with Struts2.after logging to the my application copy the url and paste to the same browser with different tab then its going to directly without restrict.in that situation i want restrict it.
but same url copy and paste to another browser its working fine .only same browser and different Tab then only problem
This is because your browser has stored your login authentication in the session. It will remember this until you either
Close all windows of the browser or
Choose New Session from the menu
If your question is about your development cycle take a look op answer of #Keppil.
If however you are asking about real user experience this is more complicated. Browser indeed remembers your session ID in cookie and sends it on each request. To override this mechanism you can create your own tokens that will be always appended to URL.
When token is supplied it should send redirect response to URL without token.
The server side should throw user to login screen every time the token is not supplied and the request is not from redirect.
I have never tried to do this and I am not sure you really want to implement this. The ability of browser to connect to same session even if user opens another tab or browser window is very convenient and widely applicable.
I am using GWT for my client side application. I am not using GWT/Java for the server. However, I am not sure how I can handle session management. The GWT application resides on one page, all server calls are done via AJAX. If a session expires on the server... let's assume the user didn't close the browser, but left the application open, how could my server notify the application that the session has expired and that the client side portion should show the login screen again?
What is meant by client side session management? That seems inherently insecure.
I'm not looking for code. I'm looking for ideas, techniques, potential solutions etc. I've considered Comet http://en.wikipedia.org/wiki/Comet_(programming), but that doesn't seem like that will work very well without using Java on the server side. Maybe, I'm wrong? I don't want to poll the server either.
Any thoughts or insight?
Without knowing how you're doing your RPC is working, its hard to give good advice.
If your AJAX service requires a user to be authenticated (IE have a valid session), it is ok to just send a 401 error saying that the user is invalid. Client-side can interpret the 401 error as a message that it should set the user up for re-authentication.
We handled this in our application, by detecting when the server sent back a redirect to the login screen (it would come through the response to the Ajax call), and popped up a dialog asking the user for their password again, but pre-filled their username. We then posted that to the same place the login page does, as if it was the login page, and so the user was logged into this new session automatically. Finally we just re-submitted the ajax call again, so it was a seamless process to the user (eg: they didn't have to click the action again).
Since we stored all the state on the client, and not in session variables we didn't have any problems trying to persist data across sessions.
What should happen if the session expired on the server-side, then the next time the client sends a request to the server, it will either create a new session, or, more likely, send back a message to the client that it is trying to access a page without a session, and send them to the login screen. However, you will still need to wait until the client sends a message to the server.