Foren

  1. Startseite
  2. Portal
  3. liferay-portal-6.1.2-ce-ga3 session hijacking

liferay-portal-6.1.2-ce-ga3 session hijacking

Kruttika Phalke, geändert vor 7 Jahren.

liferay-portal-6.1.2-ce-ga3 session hijacking

New Member Beiträge: 11 Beitrittsdatum: 22.04.13 Neueste Beiträge
How to disable session hijacking in liferay 6.1.2 ce-ga3 ? When two different users say user 1 and user2 login into two different system and when we edit user1 jsession id wih user2 jsessionid , user1 get the session of user2 and he is able to access ?
thumbnail
Rahul Mantri, geändert vor 7 Jahren.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

New Member Beiträge: 10 Beitrittsdatum: 10.02.11 Neueste Beiträge
Have you tried setting following in portal-ext.properties file -

session.enable.url.with.session.id=false
Kruttika Phalke, geändert vor 7 Jahren.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

New Member Beiträge: 11 Beitrittsdatum: 22.04.13 Neueste Beiträge
yess rahul I have tried that setting but same issue.
thumbnail
Samuel Kong, geändert vor 7 Jahren.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

Liferay Legend Beiträge: 1902 Beitrittsdatum: 10.03.08 Neueste Beiträge
Hi Kruttika,

As you noted, if someone else is able to obtain your session ID, that person can hijack your session. This is pretty much the case for all websites and not just Liferay Portal. So you should not hand out your session ID.
Kruttika Phalke, geändert vor 7 Jahren.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

New Member Beiträge: 11 Beitrittsdatum: 22.04.13 Neueste Beiträge
Hi Samuel ,

But this is a serious issue.. I am using liferay for banking applications and if the user gets hijacked it can cause many issues.
thumbnail
Olaf Kock, geändert vor 7 Jahren.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

Liferay Legend Beiträge: 6403 Beitrittsdatum: 23.09.08 Neueste Beiträge
Kruttika Phalke:
But this is a serious issue.. I am using liferay for banking applications and if the user gets hijacked it can cause many issues.


If you're working within the banking industry, I'm sure that you use https, so there's no way that anybody can get the session id. As Sam says, this is the case for almost every application on the web. You might also be able to implement a custom login, utilizing a client certificate - but the underlying issue that you state is independent of that: Through https your session identifiers will be unknown to anyone.

Further, as you're working in the banking industry, I'm also sure that you don't want to work on an old version that has seen many updates since release (6.1 CE doesn't get any updates since December 2013). This is a bigger issue than leakage of the session id. I'd suggest to consider Liferay's Enterprise offerings, e.g. 6.2 EE or DXP, so that you get updates asap.
Kruttika Phalke, geändert vor 7 Jahren.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

New Member Beiträge: 11 Beitrittsdatum: 22.04.13 Neueste Beiträge
Olaf Kock:
Kruttika Phalke:
But this is a serious issue.. I am using liferay for banking applications and if the user gets hijacked it can cause many issues.


If you're working within the banking industry, I'm sure that you use https, so there's no way that anybody can get the session id. As Sam says, this is the case for almost every application on the web. You might also be able to implement a custom login, utilizing a client certificate - but the underlying issue that you state is independent of that: Through https your session identifiers will be unknown to anyone.

Further, as you're working in the banking industry, I'm also sure that you don't want to work on an old version that has seen many updates since release (6.1 CE doesn't get any updates since December 2013). This is a bigger issue than leakage of the session id. I'd suggest to consider Liferay's Enterprise offerings, e.g. 6.2 EE or DXP, so that you get updates asap.



ok. thanku olaf. Currently using http only.. Can u help me how to configure https with liferay application. I had done the following setting in portal-ext.properties file.
company.security.auth.requires.https=true .

But no effect.
thumbnail
Samuel Kong, geändert vor 7 Jahren.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

Liferay Legend Beiträge: 1902 Beitrittsdatum: 10.03.08 Neueste Beiträge
Hi Kruttika,

This is generally not considered a security issue. Your application server is designed to generate session IDs in such a way that it would be extremely difficult to guess a user's session ID. As long as you are using HTTPS and setting the session in a cookie (as oppose to using a GET parameter), you should be safe.
Kruttika Phalke, geändert vor 7 Jahren.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

New Member Beiträge: 11 Beitrittsdatum: 22.04.13 Neueste Beiträge
Samuel Kong:
Hi Kruttika,

This is generally not considered a security issue. Your application server is designed to generate session IDs in such a way that it would be extremely difficult to guess a user's session ID. As long as you are using HTTPS and setting the session in a cookie (as oppose to using a GET parameter), you should be safe.



ok. thanku Samuel . Currently using http only.. Can u help me how to configure https with liferay application. I had done the following setting in portal-ext.properties file.
company.security.auth.requires.https=true .

But no effect.
thumbnail
Samuel Kong, geändert vor 7 Jahren.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

Liferay Legend Beiträge: 1902 Beitrittsdatum: 10.03.08 Neueste Beiträge
You should check your app server's documentation.