Re: change session id after login

Thu, 21 Oct 2010 08:15:21 -0700 

Hi,
I thought it would be a nice security update to add this fix to my application, but I seem to be having a hard time finding out exactly where to invalidate the Tapestry session without getting exceptions. 


I have a Dispatcher that controllers page access and manages my internal 
session implementations, I thought this would be a decent place to also 
invalidate the Tapestry session just before returning from this 
Dispatcher but I get exceptions as mentioned so it must not be far 
enough down the request?



What is the impact of this type of security feature on SessionState 
Objects and Persistent fields? I don't want to jump to conclusions, but 
I get the feeling that these might come into play, especially based on 
the root exception being an IllegalStateException from 
SessionImpl.getAttribute.


[ERROR] 21 Oct 2010 11;06:15,728 btpool0-3 
TapestryModule.RequestExceptionHandler (line:62) - Processing of request failed 
with uncaught exception: org.apache.tapestry5.runtime.ComponentEventException

org.apache.tapestry5.runtime.ComponentEventException

    at 
org.apache.tapestry5.internal.structure.ComponentPageElementImpl.triggerContextEvent(ComponentPageElementImpl.java:1098)

    at 
org.apache.tapestry5.internal.services.PageRenderRequestHandlerImpl.handle(PageRenderRequestHandlerImpl.java:56)

    at 
org.apache.tapestry5.services.TapestryModule$33.handle(TapestryModule.java:1943)

    at 
$PageRenderRequestHandler_12bcf534c9f.handle($PageRenderRequestHandler_12bcf534c9f.java)

    at 
$PageRenderRequestHandler_12bcf534c2d.handle($PageRenderRequestHandler_12bcf534c2d.java)

    at 
org.apache.tapestry5.internal.services.ComponentRequestHandlerTerminator.handlePageRender(ComponentRequestHandlerTerminator.java:48)

    at 
$ComponentRequestHandler_12bcf534c32.handlePageRender($ComponentRequestHandler_12bcf534c32.java)

    at 
org.apache.tapestry5.internal.services.PageRenderDispatcher.dispatch(PageRenderDispatcher.java:45)

    at $Dispatcher_12bcf534c35.dispatch($Dispatcher_12bcf534c35.java)

    at $Dispatcher_12bcf534c29.dispatch($Dispatcher_12bcf534c29.java)

    at 
org.apache.tapestry5.services.TapestryModule$RequestHandlerTerminator.service(TapestryModule.java:245)

    at 
org.apache.tapestry5.internal.services.RequestErrorFilter.service(RequestErrorFilter.java:26)

    at $RequestHandler_12bcf534c2a.service($RequestHandler_12bcf534c2a.java)

    at 
org.apache.tapestry5.services.TapestryModule$4.service(TapestryModule.java:778)

    at $RequestHandler_12bcf534c2a.service($RequestHandler_12bcf534c2a.java)

    at 
org.apache.tapestry5.services.TapestryModule$3.service(TapestryModule.java:767)

    at $RequestHandler_12bcf534c2a.service($RequestHandler_12bcf534c2a.java)

    at 
org.apache.tapestry5.internal.services.StaticFilesFilter.service(StaticFilesFilter.java:85)

    at $RequestHandler_12bcf534c2a.service($RequestHandler_12bcf534c2a.java)

    at com.moremagic.services.AppModule$1.service(AppModule.java:146)

    at $RequestFilter_12bcf534c25.service($RequestFilter_12bcf534c25.java)

    at $RequestHandler_12bcf534c2a.service($RequestHandler_12bcf534c2a.java)

    at 
org.apache.tapestry5.internal.services.CheckForUpdatesFilter$2.invoke(CheckForUpdatesFilter.java:90)

    at 
org.apache.tapestry5.internal.services.CheckForUpdatesFilter$2.invoke(CheckForUpdatesFilter.java:81)

    at 
org.apache.tapestry5.ioc.internal.util.ConcurrentBarrier.withRead(ConcurrentBarrier.java:85)

    at 
org.apache.tapestry5.internal.services.CheckForUpdatesFilter.service(CheckForUpdatesFilter.java:103)

    at $RequestHandler_12bcf534c2a.service($RequestHandler_12bcf534c2a.java)

    at $RequestHandler_12bcf534c1f.service($RequestHandler_12bcf534c1f.java)

    at 
org.apache.tapestry5.services.TapestryModule$HttpServletRequestHandlerTerminator.service(TapestryModule.java:197)

    at 
org.apache.tapestry5.upload.internal.services.MultipartServletRequestFilter.service(MultipartServletRequestFilter.java:44)

    at 
$HttpServletRequestHandler_12bcf534c21.service($HttpServletRequestHandler_12bcf534c21.java)

    at org.apache.tapestry5.internal.gzip.GZipFilter.service(GZipFilter.java:53)

    at 
$HttpServletRequestHandler_12bcf534c21.service($HttpServletRequestHandler_12bcf534c21.java)

    at 
org.apache.tapestry5.internal.services.IgnoredPathsFilter.service(IgnoredPathsFilter.java:62)

    at 
$HttpServletRequestFilter_12bcf534c1d.service($HttpServletRequestFilter_12bcf534c1d.java)

    at 
$HttpServletRequestHandler_12bcf534c21.service($HttpServletRequestHandler_12bcf534c21.java)

    at 
org.apache.tapestry5.services.TapestryModule$2.service(TapestryModule.java:726)

    at 
$HttpServletRequestHandler_12bcf534c21.service($HttpServletRequestHandler_12bcf534c21.java)

    at 
$HttpServletRequestHandler_12bcf534c1b.service($HttpServletRequestHandler_12bcf534c1b.java)

    at org.apache.tapestry5.TapestryFilter.doFilter(TapestryFilter.java:127)

    at 
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)

    at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)

    at 
org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)

    at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)

    at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726)

    at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)

    at 
org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206)

    at 
org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)

    at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)

    at org.mortbay.jetty.Server.handle(Server.java:324)

    at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505)

    at 
org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:828)

    at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:514)

    at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)

    at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380)

    at 
org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395)

    at 
org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450)

Caused by: java.lang.IllegalStateException

    at 
org.mortbay.jetty.servlet.AbstractSessionManager$Session.getAttribute(AbstractSessionManager.java:784)

    at 
org.apache.tapestry5.internal.services.SessionImpl.getAttribute(SessionImpl.java:53)

    at 
org.apache.tapestry5.internal.services.SessionApplicationStatePersistenceStrategy.get(SessionApplicationStatePersistenceStrategy.java:48)

    at 
$ApplicationStatePersistenceStrategy_12bcf534cc6.get($ApplicationStatePersistenceStrategy_12bcf534cc6.java)

    at 
org.apache.tapestry5.internal.services.ApplicationStateManagerImpl$ApplicationStateAdapter.getOrCreate(ApplicationStateManagerImpl.java:45)

    at 
org.apache.tapestry5.internal.services.ApplicationStateManagerImpl.get(ApplicationStateManagerImpl.java:126)

    at 
$ApplicationStateManager_12bcf534c56.get($ApplicationStateManager_12bcf534c56.java)

    at com.moremagic.pages.pss.PssIndex._$read_id(PssIndex.java)

    at com.moremagic.pages.pss.PssIndex.onActivate(PssIndex.java:130)

    at com.moremagic.pages.pss.PssIndex.dispatchComponentEvent(PssIndex.java)

    at 
org.apache.tapestry5.internal.structure.ComponentPageElementImpl.dispatchEvent(ComponentPageElementImpl.java:902)

    at 
org.apache.tapestry5.internal.structure.ComponentPageElementImpl.triggerContextEvent(ComponentPageElementImpl.java:1081)

    ... 56 more


Thanks,
Rich

On 10/18/2010 08:26 AM, Andreas Andreou wrote:

Yea, that's session fixation...
see http://www.owasp.org/index.php/Session_Fixation

Grabbing the session and invalidating directly does the trick but
you have to be sure this occurs at the end of the request - otherwise
Tapestry may try to reuse the session and because that has been invalidated
you'd get exceptions.


On Mon, Oct 18, 2010 at 14:45, Thiago H. de Paula Figueiredo
<thiag...@gmail.com>  wrote:

   

On Mon, 18 Oct 2010 08:47:05 -0200, Mike Oestereter
<mike.oestere...@gmail.com>  wrote:


     

Hi

       

Hi!


     

How can I change the value of the JSESSIONID cookie  after
succcessfull login - failure to do this will result in a session
hijacking vulnerability.

       

The session cookie is created and removed by the servlet container (server),
not by Tapestry itself. Have you tried grabbing the Session object and
invalidating it directly?

Could you post us something about the vulnerability? I'm curious to read
about it. :)


     

In tapestry 5.0 the value of the cookie (somewhat magically and
unexpectedly) changed when a new instance of my SessionState object
was created: e.g.

       

Are you sure? This doesn't make a lot of sense. As you can have more than
one session state object, changing the session id would be the same as
invalidating the session. This would be a serious bug.

--
Thiago H. de Paula Figueiredo
Independent Java, Apache Tapestry 5 and Hibernate consultant, developer, and
instructor
Owner, Ars Machina Tecnologia da Informação Ltda.
http://www.arsmachina.com.br

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org



     




   



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org

























					Reply via email to