Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Rajeev K
Change JSESSIONID cookie value after Login
September 10, 2013 5:15 AM
Answer

Rajeev K

Rank: Regular Member

Posts: 214

Join Date: June 18, 2009

Recent Posts

The JSESSIONID cookie value remains same after login to the application.

How can we renew this SESSIONID after login?

Any property available for this?
Rajeev K
RE: Change JSESSIONID cookie value after Login
September 11, 2013 11:44 PM
Answer

Rajeev K

Rank: Regular Member

Posts: 214

Join Date: June 18, 2009

Recent Posts

Anybody Creating a new JSESSIONID after authentication ?
Using Jboss 7.1.1
Zsigmond Rab
RE: Change JSESSIONID cookie value after Login
September 14, 2013 9:28 AM
Answer

Zsigmond Rab

LIFERAY STAFF

Rank: Liferay Master

Posts: 650

Join Date: January 4, 2010

Recent Posts

Hi Rajeev,

which version of the portal do you use? What is the value of the session.enable.phishing.protection property?

#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true

Regards,
Zsigmond
Sagar A Vyas
RE: Change JSESSIONID cookie value after Login
September 14, 2013 12:13 PM
Answer

Sagar A Vyas

Rank: Liferay Master

Posts: 659

Join Date: April 17, 2009

Recent Posts

Zsigmond Rab:
Hi Rajeev,

which version of the portal do you use? What is the value of the session.enable.phishing.protection property?

#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true

Regards,
Zsigmond


Just curious to know can we any setting in Liferay by that JSESSIONID will be not visible in url ?

Thanks,
Sagar Vyas
Hi! I am Liferay
Zsigmond Rab
RE: Change JSESSIONID cookie value after Login
September 14, 2013 1:02 PM
Answer

Zsigmond Rab

LIFERAY STAFF

Rank: Liferay Master

Posts: 650

Join Date: January 4, 2010

Recent Posts

Hi Sagar,

check the following:

#
# Set this to true to enable sessions when cookies are disabled. See
# LEP-4787. This behavior is configurable because enabling it can break
# certain setups.
#
session.enable.url.with.session.id=true

Regards,
Zsigmond
Sagar A Vyas
RE: Change JSESSIONID cookie value after Login
September 15, 2013 2:21 AM
Answer

Sagar A Vyas

Rank: Liferay Master

Posts: 659

Join Date: April 17, 2009

Recent Posts

Zsigmond Rab:
Hi Sagar,

check the following:

#
# Set this to true to enable sessions when cookies are disabled. See
# LEP-4787. This behavior is configurable because enabling it can break
# certain setups.
#
session.enable.url.with.session.id=true

Regards,
Zsigmond


Thanks Zsigmond,

What does it mean of this ?
1 This behavior is configurable because enabling it can break  certain setups.


Thanks,
Sagar Vyas
Hi! I am Liferay
Zsigmond Rab
RE: Change JSESSIONID cookie value after Login
September 15, 2013 8:08 AM
Answer

Zsigmond Rab

LIFERAY STAFF

Rank: Liferay Master

Posts: 650

Join Date: January 4, 2010

Recent Posts

Hi Sagar,

if an environment and its setup relies on having the jsessionid in the url, that can cause problems.

Regards,
Zsigmond
Rajeev K
RE: Change JSESSIONID cookie value after Login
September 15, 2013 9:27 PM
Answer

Rajeev K

Rank: Regular Member

Posts: 214

Join Date: June 18, 2009

Recent Posts

Zsigmond Rab:
Hi Rajeev,

which version of the portal do you use? What is the value of the session.enable.phishing.protection property?

#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true

Regards,
Zsigmond


HI Zsigmond,

I am using 6.1.1 CE

I have set session.enable.phishing.protection=true in portal-ext file
Zsigmond Rab
RE: Change JSESSIONID cookie value after Login
September 18, 2013 10:41 AM
Answer

Zsigmond Rab

LIFERAY STAFF

Rank: Liferay Master

Posts: 650

Join Date: January 4, 2010

Recent Posts

Hi Rajeev,

do you mean this property was true before also and so it doesn't solve the issue or you have just applied and solved the problem?

Regards,
Zsigmond
Rajeev K
RE: Change JSESSIONID cookie value after Login
September 18, 2013 8:02 PM
Answer

Rajeev K

Rank: Regular Member

Posts: 214

Join Date: June 18, 2009

Recent Posts

Hi Zsigmond,

I added this property just now.
But it did not solve the issue. JSESSIONID still remains the same.

Thanks
Rajeev
David H Nebinger
RE: Change JSESSIONID cookie value after Login
September 18, 2013 8:16 PM
Answer

David H Nebinger

Community Moderator

Rank: Liferay Legend

Posts: 11793

Join Date: September 1, 2006

Recent Posts

Rajeev K:
But it did not solve the issue. JSESSIONID still remains the same.


The value of the jsessionid is not up to liferay to manage. This is the token managed solely by the application container. The application container allocates a jsessionid to a session (a specific browser from a specific system), it has absolutely nothing to do with whether you are authenticated or not.

Likewise, when you do get authenticated, it doesn't have anything to do with the application container. You're still on the same browser on the same system, so there's no reason to have a new one.

Liferay can include the jsessionid in the url (when it is necessary), but Liferay does not manage the jsessionid at all.
Rajeev K
RE: Change JSESSIONID cookie value after Login
September 18, 2013 8:26 PM
Answer

Rajeev K

Rank: Regular Member

Posts: 214

Join Date: June 18, 2009

Recent Posts

Hi David,

Understood that the JSESSIONID is by the application container.

But by not renewing the session identifier after successful login, the attacker has an easier opportunity to perform a session fixation / hijacking type exploitation?

Is this JSESSIONID different from the SessionID the application maintains?

Is Liferay all secured against session fixation / hijacking type exploitation?
https://www.owasp.org/index.php/Session_fixation

Thanks
Rajeev
David H Nebinger
RE: Change JSESSIONID cookie value after Login
September 18, 2013 8:52 PM
Answer

David H Nebinger

Community Moderator

Rank: Liferay Legend

Posts: 11793

Join Date: September 1, 2006

Recent Posts

Session fixation is an issue for the application container, not Liferay. Tomcat 6 (.0.21 on) and Tomcat 7 use session fixation protection for authenticated users, but the problem is that when you log into Liferay you're not really authenticating with the container.

This has actually come up before: https://www.liferay.com/community/forums/-/message_boards/message/15610099

I did find a link which may provide you a solution for tomcat + liferay: http://marvinsmutterings.blogspot.com/2010/02/fixing-session-fixation-in-liferay-on.html It's a little dated, but the concepts should still be adaptable; possibly there is an easier solution to get into Tomcat 6 or 7's session fixation protection, but it's going to take some work on your part to get there.
Tomas Polesovsky
RE: Change JSESSIONID cookie value after Login
September 19, 2013 12:22 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 645

Join Date: February 13, 2009

Recent Posts

Hi Rajeev,

Liferay has protection against session fixation when you use login form. Do we talk here about login portlet form authentication?

It calls session.invalidate() hoping app server will change session id. Please see https://github.com/liferay/liferay-portal/blob/6.1.2-ga3/portal-impl/src/com/liferay/portlet/login/util/LoginUtil.java#L306,L318

Is it possible for you to debug the code and look at session.getId()? If not, I can compile some debugging messages for to see what is actually going on. Just tell me your portal version.

You can also try to trace HTTP requests to server and back to see what cookies are sent.

Best,

-- tom +
Rajeev K
RE: Change JSESSIONID cookie value after Login
September 19, 2013 12:26 AM
Answer

Rajeev K

Rank: Regular Member

Posts: 214

Join Date: June 18, 2009

Recent Posts

HI Tomáš,

I am using CE 6.1.1

Basically we are trying to confirm if Liferay is not vulnerable against session fixation which is mentioned here https://www.owasp.org/index.php/Session_fixation


Thanks
Rajeev
Tomas Polesovsky
RE: Change JSESSIONID cookie value after Login
September 19, 2013 12:33 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 645

Join Date: February 13, 2009

Recent Posts

It should not be vulnerable unless you misconfigure portal.
Rajeev K
RE: Change JSESSIONID cookie value after Login
April 22, 2016 4:54 AM
Answer

Rajeev K

Rank: Regular Member

Posts: 214

Join Date: June 18, 2009

Recent Posts

<property name="org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH" value="true"/>

Does not work.

Anybody found a solution with Jboss-eap-6.0 ?