Fórum

  1. Início
  2. Development
  3. Change JSESSIONID cookie value after Login

Change JSESSIONID cookie value after Login

thumbnail
Rajeev K, modificado 10 Anos atrás.

Change JSESSIONID cookie value after Login

Regular Member Postagens: 214 Data de Entrada: 19/06/09 Postagens Recentes
The JSESSIONID cookie value remains same after login to the application.

How can we renew this SESSIONID after login?

Any property available for this?
thumbnail
Rajeev K, modificado 10 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Regular Member Postagens: 214 Data de Entrada: 19/06/09 Postagens Recentes
Anybody Creating a new JSESSIONID after authentication ?
Using Jboss 7.1.1
thumbnail
Zsigmond Rab, modificado 10 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Liferay Master Postagens: 728 Data de Entrada: 05/01/10 Postagens Recentes
Hi Rajeev,

which version of the portal do you use? What is the value of the session.enable.phishing.protection property?

#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true

Regards,
Zsigmond
thumbnail
Sagar A Vyas, modificado 10 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Liferay Master Postagens: 679 Data de Entrada: 17/04/09 Postagens Recentes
Zsigmond Rab:
Hi Rajeev,

which version of the portal do you use? What is the value of the session.enable.phishing.protection property?

#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true

Regards,
Zsigmond


Just curious to know can we any setting in Liferay by that JSESSIONID will be not visible in url ?

Thanks,
Sagar Vyas
Hi! I am Liferay
thumbnail
Zsigmond Rab, modificado 10 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Liferay Master Postagens: 728 Data de Entrada: 05/01/10 Postagens Recentes
Hi Sagar,

check the following:

#
# Set this to true to enable sessions when cookies are disabled. See
# LEP-4787. This behavior is configurable because enabling it can break
# certain setups.
#
session.enable.url.with.session.id=true

Regards,
Zsigmond
thumbnail
Sagar A Vyas, modificado 10 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Liferay Master Postagens: 679 Data de Entrada: 17/04/09 Postagens Recentes
Zsigmond Rab:
Hi Sagar,

check the following:

#
# Set this to true to enable sessions when cookies are disabled. See
# LEP-4787. This behavior is configurable because enabling it can break
# certain setups.
#
session.enable.url.with.session.id=true

Regards,
Zsigmond


Thanks Zsigmond,

What does it mean of this ?
 This behavior is configurable because enabling it can break  certain setups.


Thanks,
Sagar Vyas
Hi! I am Liferay
thumbnail
Zsigmond Rab, modificado 10 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Liferay Master Postagens: 728 Data de Entrada: 05/01/10 Postagens Recentes
Hi Sagar,

if an environment and its setup relies on having the jsessionid in the url, that can cause problems.

Regards,
Zsigmond
thumbnail
Rajeev K, modificado 10 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Regular Member Postagens: 214 Data de Entrada: 19/06/09 Postagens Recentes
Zsigmond Rab:
Hi Rajeev,

which version of the portal do you use? What is the value of the session.enable.phishing.protection property?

#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true

Regards,
Zsigmond


HI Zsigmond,

I am using 6.1.1 CE

I have set session.enable.phishing.protection=true in portal-ext file
thumbnail
Zsigmond Rab, modificado 10 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Liferay Master Postagens: 728 Data de Entrada: 05/01/10 Postagens Recentes
Hi Rajeev,

do you mean this property was true before also and so it doesn't solve the issue or you have just applied and solved the problem?

Regards,
Zsigmond
thumbnail
Rajeev K, modificado 10 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Regular Member Postagens: 214 Data de Entrada: 19/06/09 Postagens Recentes
Hi Zsigmond,

I added this property just now.
But it did not solve the issue. JSESSIONID still remains the same.

Thanks
Rajeev
thumbnail
David H Nebinger, modificado 10 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Liferay Legend Postagens: 14919 Data de Entrada: 02/09/06 Postagens Recentes
Rajeev K:
But it did not solve the issue. JSESSIONID still remains the same.


The value of the jsessionid is not up to liferay to manage. This is the token managed solely by the application container. The application container allocates a jsessionid to a session (a specific browser from a specific system), it has absolutely nothing to do with whether you are authenticated or not.

Likewise, when you do get authenticated, it doesn't have anything to do with the application container. You're still on the same browser on the same system, so there's no reason to have a new one.

Liferay can include the jsessionid in the url (when it is necessary), but Liferay does not manage the jsessionid at all.
thumbnail
Rajeev K, modificado 10 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Regular Member Postagens: 214 Data de Entrada: 19/06/09 Postagens Recentes
Hi David,

Understood that the JSESSIONID is by the application container.

But by not renewing the session identifier after successful login, the attacker has an easier opportunity to perform a session fixation / hijacking type exploitation?

Is this JSESSIONID different from the SessionID the application maintains?

Is Liferay all secured against session fixation / hijacking type exploitation?
https://www.owasp.org/index.php/Session_fixation

Thanks
Rajeev
thumbnail
David H Nebinger, modificado 10 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Liferay Legend Postagens: 14919 Data de Entrada: 02/09/06 Postagens Recentes
Session fixation is an issue for the application container, not Liferay. Tomcat 6 (.0.21 on) and Tomcat 7 use session fixation protection for authenticated users, but the problem is that when you log into Liferay you're not really authenticating with the container.

This has actually come up before: https://www.liferay.com/community/forums/-/message_boards/message/15610099

I did find a link which may provide you a solution for tomcat + liferay: http://marvinsmutterings.blogspot.com/2010/02/fixing-session-fixation-in-liferay-on.html It's a little dated, but the concepts should still be adaptable; possibly there is an easier solution to get into Tomcat 6 or 7's session fixation protection, but it's going to take some work on your part to get there.
thumbnail
Tomáš Polešovský, modificado 10 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Liferay Master Postagens: 676 Data de Entrada: 13/02/09 Postagens Recentes
Hi Rajeev,

Liferay has protection against session fixation when you use login form. Do we talk here about login portlet form authentication?

It calls session.invalidate() hoping app server will change session id. Please see https://github.com/liferay/liferay-portal/blob/6.1.2-ga3/portal-impl/src/com/liferay/portlet/login/util/LoginUtil.java#L306,L318

Is it possible for you to debug the code and look at session.getId()? If not, I can compile some debugging messages for to see what is actually going on. Just tell me your portal version.

You can also try to trace HTTP requests to server and back to see what cookies are sent.

Best,

-- tom +
thumbnail
Rajeev K, modificado 10 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Regular Member Postagens: 214 Data de Entrada: 19/06/09 Postagens Recentes
HI Tomáš,

I am using CE 6.1.1

Basically we are trying to confirm if Liferay is not vulnerable against session fixation which is mentioned here https://www.owasp.org/index.php/Session_fixation


Thanks
Rajeev
thumbnail
Tomáš Polešovský, modificado 10 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Liferay Master Postagens: 676 Data de Entrada: 13/02/09 Postagens Recentes
It should not be vulnerable unless you misconfigure portal.
thumbnail
Rajeev K, modificado 8 Anos atrás.

RE: Change JSESSIONID cookie value after Login

Regular Member Postagens: 214 Data de Entrada: 19/06/09 Postagens Recentes
<property name="org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH" value="true"/>

Does not work.

Anybody found a solution with Jboss-eap-6.0 ?