Change JSESSIONID cookie value after Login

掲示板

10年前に Rajeev K によって更新されました。

Change JSESSIONID cookie value after Login

Regular Member 投稿: 214 参加年月日: 09/06/19 最新の投稿

The JSESSIONID cookie value remains same after login to the application.

How can we renew this SESSIONID after login?

Any property available for this?

10年前に Rajeev K によって更新されました。

RE: Change JSESSIONID cookie value after Login

Regular Member 投稿: 214 参加年月日: 09/06/19 最新の投稿

Anybody Creating a new JSESSIONID after authentication ?
Using Jboss 7.1.1

10年前に Zsigmond Rab によって更新されました。

RE: Change JSESSIONID cookie value after Login

Liferay Master 投稿: 728 参加年月日: 10/01/05 最新の投稿

Hi Rajeev,

which version of the portal do you use? What is the value of the session.enable.phishing.protection property?

#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true

Regards,
Zsigmond

10年前に Sagar A Vyas によって更新されました。

RE: Change JSESSIONID cookie value after Login

Liferay Master 投稿: 679 参加年月日: 09/04/17 最新の投稿

Zsigmond Rab:

Hi Rajeev,

which version of the portal do you use? What is the value of the session.enable.phishing.protection property?

#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true

Regards,
Zsigmond

Just curious to know can we any setting in Liferay by that JSESSIONID will be not visible in url ?

Thanks,
Sagar Vyas
Hi! I am Liferay

10年前に Zsigmond Rab によって更新されました。

RE: Change JSESSIONID cookie value after Login

Liferay Master 投稿: 728 参加年月日: 10/01/05 最新の投稿

Hi Sagar,

check the following:

#
# Set this to true to enable sessions when cookies are disabled. See
# LEP-4787. This behavior is configurable because enabling it can break
# certain setups.
#
session.enable.url.with.session.id=true

Regards,
Zsigmond

10年前に Sagar A Vyas によって更新されました。

RE: Change JSESSIONID cookie value after Login

Liferay Master 投稿: 679 参加年月日: 09/04/17 最新の投稿

Zsigmond Rab:

Hi Sagar,

check the following:

#
# Set this to true to enable sessions when cookies are disabled. See
# LEP-4787. This behavior is configurable because enabling it can break
# certain setups.
#
session.enable.url.with.session.id=true

Regards,
Zsigmond

Thanks Zsigmond,

What does it mean of this ?

 This behavior is configurable because enabling it can break  certain setups.

Thanks,
Sagar Vyas
Hi! I am Liferay

10年前に Zsigmond Rab によって更新されました。

RE: Change JSESSIONID cookie value after Login

Liferay Master 投稿: 728 参加年月日: 10/01/05 最新の投稿

Hi Sagar,

if an environment and its setup relies on having the jsessionid in the url, that can cause problems.

Regards,
Zsigmond

10年前に Rajeev K によって更新されました。

RE: Change JSESSIONID cookie value after Login

Regular Member 投稿: 214 参加年月日: 09/06/19 最新の投稿

Zsigmond Rab:

Hi Rajeev,

which version of the portal do you use? What is the value of the session.enable.phishing.protection property?

#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true

Regards,
Zsigmond

HI Zsigmond,

I am using 6.1.1 CE

I have set session.enable.phishing.protection=true in portal-ext file

10年前に Zsigmond Rab によって更新されました。

RE: Change JSESSIONID cookie value after Login

Liferay Master 投稿: 728 参加年月日: 10/01/05 最新の投稿

Hi Rajeev,

do you mean this property was true before also and so it doesn't solve the issue or you have just applied and solved the problem?

Regards,
Zsigmond

10年前に Rajeev K によって更新されました。

RE: Change JSESSIONID cookie value after Login

Regular Member 投稿: 214 参加年月日: 09/06/19 最新の投稿

Hi Zsigmond,

I added this property just now.
But it did not solve the issue. JSESSIONID still remains the same.

Thanks
Rajeev

10年前に David H Nebinger によって更新されました。

RE: Change JSESSIONID cookie value after Login

Liferay Legend 投稿: 14919 参加年月日: 06/09/02 最新の投稿

Rajeev K:

But it did not solve the issue. JSESSIONID still remains the same.

The value of the jsessionid is not up to liferay to manage. This is the token managed solely by the application container. The application container allocates a jsessionid to a session (a specific browser from a specific system), it has absolutely nothing to do with whether you are authenticated or not.

Likewise, when you do get authenticated, it doesn't have anything to do with the application container. You're still on the same browser on the same system, so there's no reason to have a new one.

Liferay can include the jsessionid in the url (when it is necessary), but Liferay does not manage the jsessionid at all.

10年前に Rajeev K によって更新されました。

RE: Change JSESSIONID cookie value after Login

Regular Member 投稿: 214 参加年月日: 09/06/19 最新の投稿

Hi David,

Understood that the JSESSIONID is by the application container.

But by not renewing the session identifier after successful login, the attacker has an easier opportunity to perform a session fixation / hijacking type exploitation?

Is this JSESSIONID different from the SessionID the application maintains?

Is Liferay all secured against session fixation / hijacking type exploitation?
https://www.owasp.org/index.php/Session_fixation

Thanks
Rajeev

10年前に David H Nebinger によって更新されました。

RE: Change JSESSIONID cookie value after Login

Liferay Legend 投稿: 14919 参加年月日: 06/09/02 最新の投稿

Session fixation is an issue for the application container, not Liferay. Tomcat 6 (.0.21 on) and Tomcat 7 use session fixation protection for authenticated users, but the problem is that when you log into Liferay you're not really authenticating with the container.

This has actually come up before: https://www.liferay.com/community/forums/-/message_boards/message/15610099

I did find a link which may provide you a solution for tomcat + liferay: http://marvinsmutterings.blogspot.com/2010/02/fixing-session-fixation-in-liferay-on.html It's a little dated, but the concepts should still be adaptable; possibly there is an easier solution to get into Tomcat 6 or 7's session fixation protection, but it's going to take some work on your part to get there.

10年前に Tomáš Polešovský によって更新されました。

RE: Change JSESSIONID cookie value after Login

Liferay Master 投稿: 676 参加年月日: 09/02/13 最新の投稿

Hi Rajeev,

Liferay has protection against session fixation when you use login form. Do we talk here about login portlet form authentication?

It calls session.invalidate() hoping app server will change session id. Please see https://github.com/liferay/liferay-portal/blob/6.1.2-ga3/portal-impl/src/com/liferay/portlet/login/util/LoginUtil.java#L306,L318

Is it possible for you to debug the code and look at session.getId()? If not, I can compile some debugging messages for to see what is actually going on. Just tell me your portal version.

You can also try to trace HTTP requests to server and back to see what cookies are sent.

Best,

-- tom +

10年前に Rajeev K によって更新されました。

RE: Change JSESSIONID cookie value after Login

Regular Member 投稿: 214 参加年月日: 09/06/19 最新の投稿

HI Tomáš,

I am using CE 6.1.1

Basically we are trying to confirm if Liferay is not vulnerable against session fixation which is mentioned here https://www.owasp.org/index.php/Session_fixation

Thanks
Rajeev

10年前に Tomáš Polešovský によって更新されました。

RE: Change JSESSIONID cookie value after Login

Liferay Master 投稿: 676 参加年月日: 09/02/13 最新の投稿

It should not be vulnerable unless you misconfigure portal.

8年前に Rajeev K によって更新されました。

RE: Change JSESSIONID cookie value after Login

Regular Member 投稿: 214 参加年月日: 09/06/19 最新の投稿

<property name="org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH" value="true"/>

Does not work.

Anybody found a solution with Jboss-eap-6.0 ?