Saturday, 28 January 2012

Ghost in JSP Session

In my current project I'm using jboss 4.2.2 ga. As part of security implementation for my current project i had to work on adding HttpOnly flag. Initially I thought setting useHttpOnly in context.xml would server the purpose but later found out that, it was support only from JBoss 5 onwards. So we had to go ahead and do it via rewriting JSESSIONID value and setting it as a custom header. Then something strange happened. When we used HttpOnly the user sessions were getting shared. When one user changes session values it was getting reflected in another user's browser. Like changing the language in one changed the language of another.

After much debugging and researching i found out that the issue was not with http only attribute but it was a logical error in setting the header. When a log out occurred we invalidated the session and routed the request via /forms/index.jsp. This flow cleared the http only flag and javascript was able to access the cookie entries. So as a workaround we added the following header in /forms/index.jsp

response.setHeader("SET-COOKIE", "JSESSIONID=; Path=" + request.getContextPath() + "; HttpOnly");

This was the culprit. Here what happened is that the JSESSIONID was cleared or set to empty. So, who ever passes thru index.jsp via a logout or error will get a JSESSIONID of null. As a result all these users will have empty (same) jsession id. this causes the sharing. So when one person changes the language it reflects to another. Luckily the fix was simple. Just change the header to

response.setHeader("SET-COOKIE", "JSESSIONID=" + request.getSession(true).getId() + "; Path=" + request.getContextPath() + "; HttpOnly");

This will prevent javascript from accessing the cookie also doesn't causes session sharing.

No comments:

Post a Comment