Fórum
liferay-portal-6.1.2-ce-ga3 session hijacking
Kruttika Phalke, modificado 7 Anos atrás.
liferay-portal-6.1.2-ce-ga3 session hijacking
New Member Postagens: 11 Data de Entrada: 22/04/13 Postagens Recentes
How to disable session hijacking in liferay 6.1.2 ce-ga3 ? When two different users say user 1 and user2 login into two different system and when we edit user1 jsession id wih user2 jsessionid , user1 get the session of user2 and he is able to access ?
Rahul Mantri, modificado 7 Anos atrás.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
New Member Postagens: 10 Data de Entrada: 10/02/11 Postagens Recentes
Have you tried setting following in portal-ext.properties file -
session.enable.url.with.session.id=false
session.enable.url.with.session.id=false
Kruttika Phalke, modificado 7 Anos atrás.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
New Member Postagens: 11 Data de Entrada: 22/04/13 Postagens Recentes
yess rahul I have tried that setting but same issue.
Samuel Kong, modificado 7 Anos atrás.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
Liferay Legend Postagens: 1902 Data de Entrada: 10/03/08 Postagens Recentes
Hi Kruttika,
As you noted, if someone else is able to obtain your session ID, that person can hijack your session. This is pretty much the case for all websites and not just Liferay Portal. So you should not hand out your session ID.
As you noted, if someone else is able to obtain your session ID, that person can hijack your session. This is pretty much the case for all websites and not just Liferay Portal. So you should not hand out your session ID.
Kruttika Phalke, modificado 7 Anos atrás.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
New Member Postagens: 11 Data de Entrada: 22/04/13 Postagens Recentes
Hi Samuel ,
But this is a serious issue.. I am using liferay for banking applications and if the user gets hijacked it can cause many issues.
But this is a serious issue.. I am using liferay for banking applications and if the user gets hijacked it can cause many issues.
Olaf Kock, modificado 7 Anos atrás.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
Liferay Legend Postagens: 6403 Data de Entrada: 23/09/08 Postagens RecentesKruttika Phalke:
But this is a serious issue.. I am using liferay for banking applications and if the user gets hijacked it can cause many issues.
If you're working within the banking industry, I'm sure that you use https, so there's no way that anybody can get the session id. As Sam says, this is the case for almost every application on the web. You might also be able to implement a custom login, utilizing a client certificate - but the underlying issue that you state is independent of that: Through https your session identifiers will be unknown to anyone.
Further, as you're working in the banking industry, I'm also sure that you don't want to work on an old version that has seen many updates since release (6.1 CE doesn't get any updates since December 2013). This is a bigger issue than leakage of the session id. I'd suggest to consider Liferay's Enterprise offerings, e.g. 6.2 EE or DXP, so that you get updates asap.
Kruttika Phalke, modificado 7 Anos atrás.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
New Member Postagens: 11 Data de Entrada: 22/04/13 Postagens RecentesOlaf Kock:
Kruttika Phalke:But this is a serious issue.. I am using liferay for banking applications and if the user gets hijacked it can cause many issues.
If you're working within the banking industry, I'm sure that you use https, so there's no way that anybody can get the session id. As Sam says, this is the case for almost every application on the web. You might also be able to implement a custom login, utilizing a client certificate - but the underlying issue that you state is independent of that: Through https your session identifiers will be unknown to anyone.
Further, as you're working in the banking industry, I'm also sure that you don't want to work on an old version that has seen many updates since release (6.1 CE doesn't get any updates since December 2013). This is a bigger issue than leakage of the session id. I'd suggest to consider Liferay's Enterprise offerings, e.g. 6.2 EE or DXP, so that you get updates asap.
ok. thanku olaf. Currently using http only.. Can u help me how to configure https with liferay application. I had done the following setting in portal-ext.properties file.
company.security.auth.requires.https=true .
But no effect.
Samuel Kong, modificado 7 Anos atrás.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
Liferay Legend Postagens: 1902 Data de Entrada: 10/03/08 Postagens Recentes
Hi Kruttika,
This is generally not considered a security issue. Your application server is designed to generate session IDs in such a way that it would be extremely difficult to guess a user's session ID. As long as you are using HTTPS and setting the session in a cookie (as oppose to using a GET parameter), you should be safe.
This is generally not considered a security issue. Your application server is designed to generate session IDs in such a way that it would be extremely difficult to guess a user's session ID. As long as you are using HTTPS and setting the session in a cookie (as oppose to using a GET parameter), you should be safe.
Kruttika Phalke, modificado 7 Anos atrás.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
New Member Postagens: 11 Data de Entrada: 22/04/13 Postagens RecentesSamuel Kong:
Hi Kruttika,
This is generally not considered a security issue. Your application server is designed to generate session IDs in such a way that it would be extremely difficult to guess a user's session ID. As long as you are using HTTPS and setting the session in a cookie (as oppose to using a GET parameter), you should be safe.
ok. thanku Samuel . Currently using http only.. Can u help me how to configure https with liferay application. I had done the following setting in portal-ext.properties file.
company.security.auth.requires.https=true .
But no effect.
Samuel Kong, modificado 7 Anos atrás.
RE: liferay-portal-6.1.2-ce-ga3 session hijacking
Liferay Legend Postagens: 1902 Data de Entrada: 10/03/08 Postagens Recentes
You should check your app server's documentation.