0 Replies Latest reply on Dec 5, 2013 2:55 AM by wguo

    Session Fixation

    wguo

      Hi ,

       

            Now our security team reported an issue Session Fixation :    after user login project on machine A , if i copy cookie JSESSIONID to the machine B , the user on machineB can view the private content of the project ,

      so do you have any advice about this issue ,  thanks !

       

      Steps to Reproduce:

      1. Get cookie from the browser on machine A.

      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

      Accept-Language: en-US,en;q=0.5

      Accept-Encoding: gzip, deflate

      Cookie: JSESSIONID=DWQ6ztJvJeEZA77uVzE3Dg__

        ^^^^^^^^^^^^^^^^^^^^^^^^

      Connection: keep-alive

      Cache-Control: max-age=0

       

      2. Clear cookie of browser on machine B.

       

      3. Request project homepage on machine B and modify the set-cookie to A's cookie in the response.

      GET XXX HTTP/1.1

      Host: XXXXXX

      User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

      Accept-Language: en-US,en;q=0.5

      Accept-Encoding: gzip, deflate

      Connection: keep-alive

       

      HTTP/1.1 200 OK

      Date: Thu, 15 Aug 2013 10:45:23 GMT

      X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1

      Set-Cookie: JSESSIONID=DWQ6ztJvJeEZA77uVzE3Dg__; Path=/; Secure

        ^^^^^^^^^^^^^^^^^^^^^^^^^

      Cache-Control: no-cache

      Content-Type: text/html;charset=UTF-8

      Keep-Alive: timeout=15, max=100

      Connection: Keep-Alive

      Content-Length: 24896

       

      4. Login in browser of machine B.

       

      Actual results:

      Both machine A and B login the project successfully.

       

      Expected results:

      Machine A should not login without providing any credential.

       

      Additional info: 

      Attacker can modify user's cookie by sending a malicious link to user.