• caglararli@hotmail.com
  • 05386281520

Session fixation in Java

Çağlar Arlı      -    80 Views

Session fixation in Java

In the process of developing a vulnerable jsp/servlet based application I made an attempt to introduce the session fixation vulnerability.

Referring to the documentation I came up with the following code which when used in the servlet to create a new session, should return the existing HTTP session if it exists and otherwise it should return null. In any case a new session should not be created.

if(obj.checkLogin(username, password))//if credentials are valid
    HttpSession session = request.getSession(false);//return the existing session

    if(session != null)

In order to test the code I deployed it using tomcat 7 and tested for session fixation:

  1. Observe the cookie (c1) when login page loads (using an intercepting proxy)
  2. Enter the correct credentials in the login form. The authentication was successful and I was redirected to LoginSuccess.jsp
  3. Observe the cookie (c2) after the authentication.

I found the cookies c1 and c2 to be different. Which implies that the code is not vulnerable to session fixation. I am having trouble understanding this behavior. Why is it that the original cookie c1 does not persist after the authentication?