11Kas
Session fixation in Java
In the process of developing a vulnerable jsp/servlet based application I made an attempt to introduce the session fixation vulnerability.
Referring to the documentation I came up with the following code which when used in the servlet to create a new session, should return the existing HTTP session if it exists and otherwise it should return null. In any case a new session should not be created.
if(obj.checkLogin(username, password))//if credentials are valid
{
HttpSession session = request.getSession(false);//return the existing session
if(session != null)
response.sendRedirect("LoginSuccess.jsp");
else
response.sendRedirect("error.jsp");
}
In order to test the code I deployed it using tomcat 7 and tested for session fixation:
- Observe the cookie (
c1) when login page loads (using an intercepting proxy) - Enter the correct credentials in the login form. The authentication was successful and I was redirected to LoginSuccess.jsp
- Observe the cookie (
c2) after the authentication.
I found the cookies c1 and c2 to be different. Which implies that the code is not vulnerable to session fixation. I am having trouble understanding this behavior. Why is it that the original cookie c1 does not persist after the authentication?
