In my Java EE application, I have a problem with sessions. Different users can login to the application and the specified user can see the data for which he is authorized. He should not be able to see other user data. To differentiate users, we are using Client_ID. As soon as the user logs in we are fetching this Client_ID from the database and setting it in session like this:
session.setAttribute("Client_ID",user.getClient_ID())
We access this session value throughout the application and fetching the relevant data to that Client_ID. This works fine when users work on a single browser, but the problem is this:
Suppose there is a SuperAdmin, who needs to look all the clients under him. SuperAdmin logs in as client_1, and again as client_2. SuperAdmin has logged in both times using the same browser. When I refresh the client_1 browser, I am seeing the client_2 details, which should not happen.
I think our application is using the same session for two different logins in the same browser. What would be solution for this problem? I should see the correct data for the particular client when I refresh the page.
Don't use cookies for storing Session ID, but use request parameter instead.
So each opened tab will request the own session. With cookies you have only one cookie for all tabs in browser.
P.S.:
I think that it's incorrect to log in under 2 or more users within one browser at the same moment. Your application should detect that client_1 is already signed it and restict log in for other users from the same browser until logout. For example, Google's applications work in such way.
Also would be great if SuperAdmin have a feature to see client_1 or client_2 data without log in. This will save him/her from remembering dozens of passwords and will increase performance of work (time is moneys, isn't?).
If you want multiple tabs within the same browser instance to see different things, then you will have to rework your session management and key things off of the URL.
The session is shared between browser tabs (true for most browsers), so logging in with one tab will affect the sessions for other tabs.
The solution is to use roles instead of multiple logins. You would give client_1 SuperAdmin role, and client 2 doesn't. This would reduce the need to login twice.
But in any case, you should only allow one user to be logged in at once. The process of logging in should invalidate the previous session. I forget the exact code in Java EE, but it is something like session.invalidate().
Related
I have java web application using struts 1.x. Recently my application has gone through penetration testing and our testers found some security holes. Let me explain. In my application i have 2 users called ‘Admin’ and ‘user’. First our PenTester logged to my application as ‘Admin’ and they use ‘Burp tool’ to intercept the request and copy the whole request content into notepad and then forward the request. Now My application log in as ‘Admin’. They use another browser instance to login as “user” and use burp tool to intercept the request. This time they removed the whole request content and copy back the whole request content of ‘Admin’ and then forward the request. Now my application logged in as ‘Admin’ without asking any user id/password? How to restrict this situation? I already stored userid in my session variable after successful login of each user. The moment they intercept the request and copy the ‘admin’ request content, my session variable userid also changed to ‘admin’. How to validate this situation? Your help is really appreciated.
That is not really that much of an issue since the first part "copy the whole request content" is not easily doable if you have a proper HTTPS / SSL connection. That only works if the PC the user is logged in on as an admin is compromised in which case: nothing you can do about it anyway because they can just sniff the keystrokes and get the plain password.
If on the other hand you communicate without the S, namely just HTTP then the solution is: get a certificate and switch to HTTPS.
Apart from that your application can pin a session to an IP which means if the session id / cookie is stolen and someone else uses it you can detect an IP mismatch and ask for credentials again.
To prevent direct replay attacks like copying the request and sending it again you can introduce a hash that incorporates the timestamp or alternative measures, see. How do I prevent replay attacks? . The problem however is that copying the entire request means copying the cookies as well and if the "admin" cookie is copied this measure will not prevent you from "generating" a new hash based on the now admin user.
I am creating one web application in java. I am using session for this application. when i deleting cookie from browser at that time my session is invalidate. i want to prevent that thing.
for ex:
when you are logging in banking website. after logged in website you remove cookie from browser you are still logging in website.
Anyone know how to store session of user when clear the cookies.
There is no way to. If the user deletes cookies, there is no way to identify him in subsequent requests.
There are some "hacky" ways to do it (for example this), but I don't recommend you to do this. What's the reason to? Cookies are standard.
As the title said, I want to remove the cookies when I close a window. I know of the methods for cookies like Cookies.removeCookie(Constants.XXX); And also of cookie.setMaxAge(0);
for removing cookies. But that is done on clicking logout.
I want to remove cookies on window close or when application has stopped running. Because whenever, I am debugging the application, whenever I rerun the application, I see the cookie is still there even though I am not logged in, and the session has not started for the user. So there is a conflict, where the cookie is already set even though, the user has still not logged in !
Its a GWT Application.
First of all, it's important to differentiate between a cookie on the client side, and a session on the server side (I think you already knew that).
Usually, for a clean logout, you'll want to call session.invalidate() on the servers side, and Cookies.removeCookie(...) on the client side.
But not every 'logout' is clean:
The logout request may not make it to the server
The browser may crash even before you call removeCookie - so any attempt to remove a cookie on window close will be unreliable
On the server side, you can use timeouts (see the link provided by #thinksteep: How we call logout servlet on browser close event).
For the client side cookie, you can set an expiryDate/maxAge. Or you can use "session cookies": These are the cookies where you don't set expiry or maxAge at all. Most browsers will delete "session cookies" automatically when the browser restarts - but please see Firefox session cookies.
All of this may mean, that cookies are maybe not the best technology for your use case: In general, a cookie is by design available in all browser tabs, and the concept of a browser session doesn't even always end, when the browser/window closes (what would it mean on a smartphone anyway?). This is desirable for many current web sites (users don't have to log in explicitly every time), and many users have come to expect this kind of behavior.
For sites that want a "one tab = one session" policy, it's possibly better to store a token e.g. in a Javascript (or GWT) object, and send it with every request. This way, you can log in separately - even as different users - from multiple browser tabs, and once a tab closes, the token is gone. Please note, that a tab may still get restored by the browser on session restore. (I would always combine this technique with a httponly cookie, to avoid certain kinds of attacks.)
We have a web application where users can login.
Now what we want is that the same user should not be able to login using different browsers.
Basically currently a user using two different browsers (IE and FF) can log in to the same account at the same time. When you hit the login button, is it possible to invalidate all other logins for that account.
What is the best possible approach to do this?
PS: We are using Struts, Spring and Hibernate in our web application.
Thanks !
Doing this on server-side is your best bet. You can keep tract of logged-in users in your application context.
Well, a little hint. Make use of a Servlet Filter, say AuthFilter, and make validation, may be isAlreadyLoggedIn(), over there beside other validations like username/password etc.. Now after having this check in place, you either -- that it depends what you want to do with the user trying to log in, show the message that "user already logged-in", or you can let the user log-in and invalidate the previous session. As discussed here.
You can store the logged in user information in database or you can get it from Application context. and if the user is logged in already don't allow to make him another session.
Google uses some ip address mechanism to logout the user logged in another computer,instead of logging off in the same browser or tab.
May be we can use geoip database Geolitecity to save the user's ip + Balusc answer of storing session using user as the key and the ip address for the solution .
Have a column isLoggedIn in database. Set to Y , if it logged, if the same user log's in from the another computer or brower, invalidate the session. Mind to set it to N ,if session expires.
* For Best Read the Balusc's answer *
prevent-multiple-login-using-the-same-user-name-and-password using HttpSessionBindingListener.
If a user opens 2 web pages simultaneously they will create 2 sessions.
Usually this would not matter but it does create a problem for remember me functionality when attempting to rotate cookie tokens as recommended in the persistent login cookie best practices. There seems to be no way to rotate both cookies correctly where both sessions are opened simultaneously.
How can I resolve this?
I use Tomcat and Struts 1, but I think this is framework independent.
extending #Thilo answer He is correct, any subsequent access to other page will follow send the cookies for that domain. e.g open gmail, login and now open gmail in other tab or window it send the cookie for that domain. since the cookie hold the session information on any subsequent request only session id/value will be changed.
You can check it using firebug and its extension fire-cookie.
On matter of avoiding remember-me problem as said in the link you specified it is more to design problem as how you are handling it.