Forums de discussion
Change JSESSIONID cookie value after Login
Rajeev K, modifié il y a 10 années.
Change JSESSIONID cookie value after Login
Regular Member Publications: 214 Date d'inscription: 19/06/09 Publications récentes
The JSESSIONID cookie value remains same after login to the application.
How can we renew this SESSIONID after login?
Any property available for this?
How can we renew this SESSIONID after login?
Any property available for this?
Rajeev K, modifié il y a 10 années.
RE: Change JSESSIONID cookie value after Login
Regular Member Publications: 214 Date d'inscription: 19/06/09 Publications récentes
Anybody Creating a new JSESSIONID after authentication ?
Using Jboss 7.1.1
Using Jboss 7.1.1
Zsigmond Rab, modifié il y a 10 années.
RE: Change JSESSIONID cookie value after Login
Liferay Master Publications: 728 Date d'inscription: 05/01/10 Publications récentes
Hi Rajeev,
which version of the portal do you use? What is the value of the session.enable.phishing.protection property?
#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true
Regards,
Zsigmond
which version of the portal do you use? What is the value of the session.enable.phishing.protection property?
#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true
Regards,
Zsigmond
Sagar A Vyas, modifié il y a 10 années.
RE: Change JSESSIONID cookie value after Login
Liferay Master Publications: 679 Date d'inscription: 17/04/09 Publications récentesZsigmond Rab:
Hi Rajeev,
which version of the portal do you use? What is the value of the session.enable.phishing.protection property?
#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true
Regards,
Zsigmond
Just curious to know can we any setting in Liferay by that JSESSIONID will be not visible in url ?
Thanks,
Sagar Vyas
Hi! I am Liferay
Zsigmond Rab, modifié il y a 10 années.
RE: Change JSESSIONID cookie value after Login
Liferay Master Publications: 728 Date d'inscription: 05/01/10 Publications récentes
Hi Sagar,
check the following:
#
# Set this to true to enable sessions when cookies are disabled. See
# LEP-4787. This behavior is configurable because enabling it can break
# certain setups.
#
session.enable.url.with.session.id=true
Regards,
Zsigmond
check the following:
#
# Set this to true to enable sessions when cookies are disabled. See
# LEP-4787. This behavior is configurable because enabling it can break
# certain setups.
#
session.enable.url.with.session.id=true
Regards,
Zsigmond
Sagar A Vyas, modifié il y a 10 années.
RE: Change JSESSIONID cookie value after Login
Liferay Master Publications: 679 Date d'inscription: 17/04/09 Publications récentesZsigmond Rab:
Hi Sagar,
check the following:
#
# Set this to true to enable sessions when cookies are disabled. See
# LEP-4787. This behavior is configurable because enabling it can break
# certain setups.
#
session.enable.url.with.session.id=true
Regards,
Zsigmond
Thanks Zsigmond,
What does it mean of this ?
This behavior is configurable because enabling it can break certain setups.
Thanks,
Sagar Vyas
Hi! I am Liferay
Zsigmond Rab, modifié il y a 10 années.
RE: Change JSESSIONID cookie value after Login
Liferay Master Publications: 728 Date d'inscription: 05/01/10 Publications récentes
Hi Sagar,
if an environment and its setup relies on having the jsessionid in the url, that can cause problems.
Regards,
Zsigmond
if an environment and its setup relies on having the jsessionid in the url, that can cause problems.
Regards,
Zsigmond
Rajeev K, modifié il y a 10 années.
RE: Change JSESSIONID cookie value after Login
Regular Member Publications: 214 Date d'inscription: 19/06/09 Publications récentesZsigmond Rab:
Hi Rajeev,
which version of the portal do you use? What is the value of the session.enable.phishing.protection property?
#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true
Regards,
Zsigmond
HI Zsigmond,
I am using 6.1.1 CE
I have set session.enable.phishing.protection=true in portal-ext file
Zsigmond Rab, modifié il y a 10 années.
RE: Change JSESSIONID cookie value after Login
Liferay Master Publications: 728 Date d'inscription: 05/01/10 Publications récentes
Hi Rajeev,
do you mean this property was true before also and so it doesn't solve the issue or you have just applied and solved the problem?
Regards,
Zsigmond
do you mean this property was true before also and so it doesn't solve the issue or you have just applied and solved the problem?
Regards,
Zsigmond
Rajeev K, modifié il y a 10 années.
RE: Change JSESSIONID cookie value after Login
Regular Member Publications: 214 Date d'inscription: 19/06/09 Publications récentes
Hi Zsigmond,
I added this property just now.
But it did not solve the issue. JSESSIONID still remains the same.
Thanks
Rajeev
I added this property just now.
But it did not solve the issue. JSESSIONID still remains the same.
Thanks
Rajeev
David H Nebinger, modifié il y a 10 années.
RE: Change JSESSIONID cookie value after Login
Liferay Legend Publications: 14919 Date d'inscription: 02/09/06 Publications récentesRajeev K:
But it did not solve the issue. JSESSIONID still remains the same.
The value of the jsessionid is not up to liferay to manage. This is the token managed solely by the application container. The application container allocates a jsessionid to a session (a specific browser from a specific system), it has absolutely nothing to do with whether you are authenticated or not.
Likewise, when you do get authenticated, it doesn't have anything to do with the application container. You're still on the same browser on the same system, so there's no reason to have a new one.
Liferay can include the jsessionid in the url (when it is necessary), but Liferay does not manage the jsessionid at all.
Rajeev K, modifié il y a 10 années.
RE: Change JSESSIONID cookie value after Login
Regular Member Publications: 214 Date d'inscription: 19/06/09 Publications récentes
Hi David,
Understood that the JSESSIONID is by the application container.
But by not renewing the session identifier after successful login, the attacker has an easier opportunity to perform a session fixation / hijacking type exploitation?
Is this JSESSIONID different from the SessionID the application maintains?
Is Liferay all secured against session fixation / hijacking type exploitation?
https://www.owasp.org/index.php/Session_fixation
Thanks
Rajeev
Understood that the JSESSIONID is by the application container.
But by not renewing the session identifier after successful login, the attacker has an easier opportunity to perform a session fixation / hijacking type exploitation?
Is this JSESSIONID different from the SessionID the application maintains?
Is Liferay all secured against session fixation / hijacking type exploitation?
https://www.owasp.org/index.php/Session_fixation
Thanks
Rajeev
David H Nebinger, modifié il y a 10 années.
RE: Change JSESSIONID cookie value after Login
Liferay Legend Publications: 14919 Date d'inscription: 02/09/06 Publications récentes
Session fixation is an issue for the application container, not Liferay. Tomcat 6 (.0.21 on) and Tomcat 7 use session fixation protection for authenticated users, but the problem is that when you log into Liferay you're not really authenticating with the container.
This has actually come up before: https://www.liferay.com/community/forums/-/message_boards/message/15610099
I did find a link which may provide you a solution for tomcat + liferay: http://marvinsmutterings.blogspot.com/2010/02/fixing-session-fixation-in-liferay-on.html It's a little dated, but the concepts should still be adaptable; possibly there is an easier solution to get into Tomcat 6 or 7's session fixation protection, but it's going to take some work on your part to get there.
This has actually come up before: https://www.liferay.com/community/forums/-/message_boards/message/15610099
I did find a link which may provide you a solution for tomcat + liferay: http://marvinsmutterings.blogspot.com/2010/02/fixing-session-fixation-in-liferay-on.html It's a little dated, but the concepts should still be adaptable; possibly there is an easier solution to get into Tomcat 6 or 7's session fixation protection, but it's going to take some work on your part to get there.
Tomáš Polešovský, modifié il y a 10 années.
RE: Change JSESSIONID cookie value after Login
Liferay Master Publications: 676 Date d'inscription: 13/02/09 Publications récentes
Hi Rajeev,
Liferay has protection against session fixation when you use login form. Do we talk here about login portlet form authentication?
It calls session.invalidate() hoping app server will change session id. Please see https://github.com/liferay/liferay-portal/blob/6.1.2-ga3/portal-impl/src/com/liferay/portlet/login/util/LoginUtil.java#L306,L318
Is it possible for you to debug the code and look at session.getId()? If not, I can compile some debugging messages for to see what is actually going on. Just tell me your portal version.
You can also try to trace HTTP requests to server and back to see what cookies are sent.
Best,
-- tom +
Liferay has protection against session fixation when you use login form. Do we talk here about login portlet form authentication?
It calls session.invalidate() hoping app server will change session id. Please see https://github.com/liferay/liferay-portal/blob/6.1.2-ga3/portal-impl/src/com/liferay/portlet/login/util/LoginUtil.java#L306,L318
Is it possible for you to debug the code and look at session.getId()? If not, I can compile some debugging messages for to see what is actually going on. Just tell me your portal version.
You can also try to trace HTTP requests to server and back to see what cookies are sent.
Best,
-- tom +
Rajeev K, modifié il y a 10 années.
RE: Change JSESSIONID cookie value after Login
Regular Member Publications: 214 Date d'inscription: 19/06/09 Publications récentes
HI Tomáš,
I am using CE 6.1.1
Basically we are trying to confirm if Liferay is not vulnerable against session fixation which is mentioned here https://www.owasp.org/index.php/Session_fixation
Thanks
Rajeev
I am using CE 6.1.1
Basically we are trying to confirm if Liferay is not vulnerable against session fixation which is mentioned here https://www.owasp.org/index.php/Session_fixation
Thanks
Rajeev
Tomáš Polešovský, modifié il y a 10 années.
RE: Change JSESSIONID cookie value after Login
Liferay Master Publications: 676 Date d'inscription: 13/02/09 Publications récentes
It should not be vulnerable unless you misconfigure portal.
Rajeev K, modifié il y a 8 années.
RE: Change JSESSIONID cookie value after Login
Regular Member Publications: 214 Date d'inscription: 19/06/09 Publications récentes
<property name="org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH" value="true"/>
Does not work.
Anybody found a solution with Jboss-eap-6.0 ?
Does not work.
Anybody found a solution with Jboss-eap-6.0 ?