Foros de discusión

  1. Inicio
  2. Portal
  3. liferay-portal-6.1.2-ce-ga3 session hijacking

liferay-portal-6.1.2-ce-ga3 session hijacking

Kruttika Phalke, modificado hace 7 años.

liferay-portal-6.1.2-ce-ga3 session hijacking

New Member Mensajes: 11 Fecha de incorporación: 22/04/13 Mensajes recientes
How to disable session hijacking in liferay 6.1.2 ce-ga3 ? When two different users say user 1 and user2 login into two different system and when we edit user1 jsession id wih user2 jsessionid , user1 get the session of user2 and he is able to access ?
thumbnail
Rahul Mantri, modificado hace 7 años.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

New Member Mensajes: 10 Fecha de incorporación: 10/02/11 Mensajes recientes
Have you tried setting following in portal-ext.properties file -

session.enable.url.with.session.id=false
Kruttika Phalke, modificado hace 7 años.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

New Member Mensajes: 11 Fecha de incorporación: 22/04/13 Mensajes recientes
yess rahul I have tried that setting but same issue.
thumbnail
Samuel Kong, modificado hace 7 años.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
Hi Kruttika,

As you noted, if someone else is able to obtain your session ID, that person can hijack your session. This is pretty much the case for all websites and not just Liferay Portal. So you should not hand out your session ID.
Kruttika Phalke, modificado hace 7 años.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

New Member Mensajes: 11 Fecha de incorporación: 22/04/13 Mensajes recientes
Hi Samuel ,

But this is a serious issue.. I am using liferay for banking applications and if the user gets hijacked it can cause many issues.
thumbnail
Olaf Kock, modificado hace 7 años.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientes
Kruttika Phalke:
But this is a serious issue.. I am using liferay for banking applications and if the user gets hijacked it can cause many issues.


If you're working within the banking industry, I'm sure that you use https, so there's no way that anybody can get the session id. As Sam says, this is the case for almost every application on the web. You might also be able to implement a custom login, utilizing a client certificate - but the underlying issue that you state is independent of that: Through https your session identifiers will be unknown to anyone.

Further, as you're working in the banking industry, I'm also sure that you don't want to work on an old version that has seen many updates since release (6.1 CE doesn't get any updates since December 2013). This is a bigger issue than leakage of the session id. I'd suggest to consider Liferay's Enterprise offerings, e.g. 6.2 EE or DXP, so that you get updates asap.
Kruttika Phalke, modificado hace 7 años.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

New Member Mensajes: 11 Fecha de incorporación: 22/04/13 Mensajes recientes
Olaf Kock:
Kruttika Phalke:
But this is a serious issue.. I am using liferay for banking applications and if the user gets hijacked it can cause many issues.


If you're working within the banking industry, I'm sure that you use https, so there's no way that anybody can get the session id. As Sam says, this is the case for almost every application on the web. You might also be able to implement a custom login, utilizing a client certificate - but the underlying issue that you state is independent of that: Through https your session identifiers will be unknown to anyone.

Further, as you're working in the banking industry, I'm also sure that you don't want to work on an old version that has seen many updates since release (6.1 CE doesn't get any updates since December 2013). This is a bigger issue than leakage of the session id. I'd suggest to consider Liferay's Enterprise offerings, e.g. 6.2 EE or DXP, so that you get updates asap.



ok. thanku olaf. Currently using http only.. Can u help me how to configure https with liferay application. I had done the following setting in portal-ext.properties file.
company.security.auth.requires.https=true .

But no effect.
thumbnail
Samuel Kong, modificado hace 7 años.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
Hi Kruttika,

This is generally not considered a security issue. Your application server is designed to generate session IDs in such a way that it would be extremely difficult to guess a user's session ID. As long as you are using HTTPS and setting the session in a cookie (as oppose to using a GET parameter), you should be safe.
Kruttika Phalke, modificado hace 7 años.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

New Member Mensajes: 11 Fecha de incorporación: 22/04/13 Mensajes recientes
Samuel Kong:
Hi Kruttika,

This is generally not considered a security issue. Your application server is designed to generate session IDs in such a way that it would be extremely difficult to guess a user's session ID. As long as you are using HTTPS and setting the session in a cookie (as oppose to using a GET parameter), you should be safe.



ok. thanku Samuel . Currently using http only.. Can u help me how to configure https with liferay application. I had done the following setting in portal-ext.properties file.
company.security.auth.requires.https=true .

But no effect.
thumbnail
Samuel Kong, modificado hace 7 años.

RE: liferay-portal-6.1.2-ce-ga3 session hijacking

Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
You should check your app server's documentation.