Avoid JSESSIONID to be set before authentication.

掲示板

11年前に Jignesh Majmudar によって更新されました。

Avoid JSESSIONID to be set before authentication.

Junior Member 投稿: 36 参加年月日: 10/05/07 最新の投稿

Hello All,

JSESSIONID should not be set before authentication.

it will be great if anybody can help me out.

I am using LR5.2 + JBOSS AS 4.2

Thanks in advance. emoticon

11年前に David H Nebinger によって更新されました。

RE: Avoid JSESSIONID to be set before authentication.

Liferay Legend 投稿: 14916 参加年月日: 06/09/02 最新の投稿

Not going to happen...

They are not connected in any way. A web session is created to store session information for the current web application, not the current user. Liferay stores things in the session that are necessary for the portal to work.

Authentication is a separate process, and verifies you are a valid user. After authentication, that info also happens to be set in the session.

11年前に Jignesh Majmudar によって更新されました。

RE: Avoid JSESSIONID to be set before authentication.

Junior Member 投稿: 36 参加年月日: 10/05/07 最新の投稿

David H Nebinger:

Not going to happen...

They are not connected in any way. A web session is created to store session information for the current web application, not the current user. Liferay stores things in the session that are necessary for the portal to work.

Authentication is a separate process, and verifies you are a valid user. After authentication, that info also happens to be set in the session.

Thanks for reply.

is that possible to at least avoid to add jsessionid cookie?? or is just the same thing what you said?

my ultimate goal is to prevent session hijacking.is there any way to change session id after authentication?

11年前に Jan Geißler によって更新されました。

RE: Avoid JSESSIONID to be set before authentication.

Liferay Master 投稿: 735 参加年月日: 11/07/05 最新の投稿

the cookie does the mapping for server. The Session is stored on Server Side, and the server has to know what session you have. This is done via the cookie. You could disable SESSION Cookies, but than the SessionID will be sent by the URL which is even worse if you want to have more security.

11年前に Jignesh Majmudar によって更新されました。

RE: Avoid JSESSIONID to be set before authentication.

Junior Member 投稿: 36 参加年月日: 10/05/07 最新の投稿

Jan Geißler:

the cookie does the mapping for server. The Session is stored on Server Side, and the server has to know what session you have. This is done via the cookie. You could disable SESSION Cookies, but than the SessionID will be sent by the URL which is even worse if you want to have more security.

so what's the option to avoid session hijacking?

can we able to change JSESSIONID before and after authentication?

11年前に Jan Geißler によって更新されました。

RE: Avoid JSESSIONID to be set before authentication.

Liferay Master 投稿: 735 参加年月日: 11/07/05 最新の投稿

I am not that security expert, but I think https would solve your problem, does it not?

11年前に Jignesh Majmudar によって更新されました。

RE: Avoid JSESSIONID to be set before authentication.

Junior Member 投稿: 36 参加年月日: 10/05/07 最新の投稿

No,it's not changing in neway either for http or https

neways thank for support.

.hope any security expert can help me for this? emoticon

11年前に David H Nebinger によって更新されました。

RE: Avoid JSESSIONID to be set before authentication.

Liferay Legend 投稿: 14916 参加年月日: 06/09/02 最新の投稿

I know that Liferay has done some patches relative to security and session hijacking, but I don't know if any of that code has been backported to the 5.2 series...

If you were an enterprise customer w/ a valid license for 5, they would probably be able to get you whatever patches might be necessary.

If not, you're really on your own. And, since Liferay 5 is so old, you might not get as much help from the community as you would on a current version.

A google search for "liferay session hijacking" turned up a lot of stuff, especially this link. There may be other links that could help you get on your way...

11年前に Jignesh Majmudar によって更新されました。

RE: Avoid JSESSIONID to be set before authentication.

Junior Member 投稿: 36 参加年月日: 10/05/07 最新の投稿

thanks a lot for guidance.

11年前に Jan Geißler によって更新されました。

RE: Avoid JSESSIONID to be set before authentication.

Liferay Master 投稿: 735 参加年月日: 11/07/05 最新の投稿

if your WHOLE Application Server is https based, than it should be safe AFAIK.

11年前に Jan Geißler によって更新されました。

RE: Avoid JSESSIONID to be set before authentication.

Liferay Master 投稿: 735 参加年月日: 11/07/05 最新の投稿

If i remember correct, JSESSIONID will be set after the first call of request.getSession(true). Now you have to figure out when Liferay does this call, and if possible modify it. But I think this task will be at least very tricky, as I don't know how often and when those calls appear. Another Pronblem would be, that you do not have control, what your installed portlets do. Maybe one of them does this call, and if it's on a public page, you end up having a Session. So long story short, this should be a very hard task. At least (But maybe someone else has an idea how to solve this)

11年前に Jignesh Majmudar によって更新されました。

RE: Avoid JSESSIONID to be set before authentication.

Junior Member 投稿: 36 参加年月日: 10/05/07 最新の投稿

Jan Geißler:

If i remember correct, JSESSIONID will be set after the first call of request.getSession(true). Now you have to figure out when Liferay does this call, and if possible modify it. But I think this task will be at least very tricky, as I don't know how often and when those calls appear. Another Pronblem would be, that you do not have control, what your installed portlets do. Maybe one of them does this call, and if it's on a public page, you end up having a Session. So long story short, this should be a very hard task. At least (But maybe someone else has an idea how to solve this)

thanks Jan,

I feel it the same way.is there any option to change JSESSIONID once user logged in.