Foros de discusión
liferay-portal-6.1.2-ce-ga3 session hijacking
Kruttika Phalke, modificado hace 7 años.
liferay-portal-6.1.2-ce-ga3 session hijacking
New Member Mensajes: 11 Fecha de incorporación: 22/04/13 Mensajes recientes
How to disable session hijacking in liferay 6.1.2 ce-ga3 ? When two different users say user 1 and user2 login into two different system and when we edit user1 jsession id wih user2 jsessionid , user1 get the session of user2 and he is able to access ?
Rahul Mantri, modificado hace 7 años.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
New Member Mensajes: 10 Fecha de incorporación: 10/02/11 Mensajes recientes
Have you tried setting following in portal-ext.properties file -
session.enable.url.with.session.id=false
session.enable.url.with.session.id=false
Kruttika Phalke, modificado hace 7 años.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
New Member Mensajes: 11 Fecha de incorporación: 22/04/13 Mensajes recientes
yess rahul I have tried that setting but same issue.
Samuel Kong, modificado hace 7 años.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
Hi Kruttika,
As you noted, if someone else is able to obtain your session ID, that person can hijack your session. This is pretty much the case for all websites and not just Liferay Portal. So you should not hand out your session ID.
As you noted, if someone else is able to obtain your session ID, that person can hijack your session. This is pretty much the case for all websites and not just Liferay Portal. So you should not hand out your session ID.
Kruttika Phalke, modificado hace 7 años.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
New Member Mensajes: 11 Fecha de incorporación: 22/04/13 Mensajes recientes
Hi Samuel ,
But this is a serious issue.. I am using liferay for banking applications and if the user gets hijacked it can cause many issues.
But this is a serious issue.. I am using liferay for banking applications and if the user gets hijacked it can cause many issues.
Olaf Kock, modificado hace 7 años.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientesKruttika Phalke:
But this is a serious issue.. I am using liferay for banking applications and if the user gets hijacked it can cause many issues.
If you're working within the banking industry, I'm sure that you use https, so there's no way that anybody can get the session id. As Sam says, this is the case for almost every application on the web. You might also be able to implement a custom login, utilizing a client certificate - but the underlying issue that you state is independent of that: Through https your session identifiers will be unknown to anyone.
Further, as you're working in the banking industry, I'm also sure that you don't want to work on an old version that has seen many updates since release (6.1 CE doesn't get any updates since December 2013). This is a bigger issue than leakage of the session id. I'd suggest to consider Liferay's Enterprise offerings, e.g. 6.2 EE or DXP, so that you get updates asap.
Kruttika Phalke, modificado hace 7 años.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
New Member Mensajes: 11 Fecha de incorporación: 22/04/13 Mensajes recientesOlaf Kock:
Kruttika Phalke:But this is a serious issue.. I am using liferay for banking applications and if the user gets hijacked it can cause many issues.
If you're working within the banking industry, I'm sure that you use https, so there's no way that anybody can get the session id. As Sam says, this is the case for almost every application on the web. You might also be able to implement a custom login, utilizing a client certificate - but the underlying issue that you state is independent of that: Through https your session identifiers will be unknown to anyone.
Further, as you're working in the banking industry, I'm also sure that you don't want to work on an old version that has seen many updates since release (6.1 CE doesn't get any updates since December 2013). This is a bigger issue than leakage of the session id. I'd suggest to consider Liferay's Enterprise offerings, e.g. 6.2 EE or DXP, so that you get updates asap.
ok. thanku olaf. Currently using http only.. Can u help me how to configure https with liferay application. I had done the following setting in portal-ext.properties file.
company.security.auth.requires.https=true .
But no effect.
Samuel Kong, modificado hace 7 años.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
Hi Kruttika,
This is generally not considered a security issue. Your application server is designed to generate session IDs in such a way that it would be extremely difficult to guess a user's session ID. As long as you are using HTTPS and setting the session in a cookie (as oppose to using a GET parameter), you should be safe.
This is generally not considered a security issue. Your application server is designed to generate session IDs in such a way that it would be extremely difficult to guess a user's session ID. As long as you are using HTTPS and setting the session in a cookie (as oppose to using a GET parameter), you should be safe.
Kruttika Phalke, modificado hace 7 años.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
New Member Mensajes: 11 Fecha de incorporación: 22/04/13 Mensajes recientesSamuel Kong:
Hi Kruttika,
This is generally not considered a security issue. Your application server is designed to generate session IDs in such a way that it would be extremely difficult to guess a user's session ID. As long as you are using HTTPS and setting the session in a cookie (as oppose to using a GET parameter), you should be safe.
ok. thanku Samuel . Currently using http only.. Can u help me how to configure https with liferay application. I had done the following setting in portal-ext.properties file.
company.security.auth.requires.https=true .
But no effect.
Samuel Kong, modificado hace 7 años.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
You should check your app server's documentation.