Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Protect Session Cookies

  
  

Applies to

Applications written using Servlets or JSP.

What to Do

Protect the confidentiality of session cookies.

Why

Session cookies are used by an application to identify the session associated with a particular user. Protecting session cookies can help prevent an attacker from hijacking the session and using the application as a legitimate user.

When

If your application uses cookies to maintain a user's session state, then use this guideline to protect the cookie.

How

Use the following steps to secure session cookies:

  1. Do not allow users to choose their own session identifiers. Java automatically assigns random IDs to its sessions which minimizes the risk of an attacker hijacking another user's session by using the same session ID. To use sessions in Java, invokeHttpServletRequest.getSession:
    HttpSession session = request.getSession();
  2. Invalidate the session identifier on login (as well as logout) to ensure session identifiers are not reused. This is a portion of the approach necessary to prevent session hijacking. UseHttpSession.invalidate to accomplish this. After the session has been invalidated, the call below will generate a new session identifier.
    HttpSession session = request.getSession(true);
  3. Time-out sessions. Set an expiration time for sessions. This helps minimize the threat of session hijacking by giving an attacker a smaller window of opportunity. Depending on your application, an appropriate timeout can be anywhere from 10 to 20 minutes. Setting when sessions should expire can be done throughHttpSession.setMaxInactiveIntervalin code, or via the session-timeout configuration in the web.xml file.
  4. Allow users to terminate their sessions. Allowing users to invalidate their sessions reduces the risk of session being hijacked. Use HttpSession.invalidateto accomplish this.
  5. Ensure cookies are sent over encrypted channels.Mark cookies sent over SSL as Secure. UseCookie.setSecure to require SSL when sending out the given cookie. It is recommended to avoid sending session cookies over unencrypted channels as session hijacking is made much easier. UseServletRequest.isSecure to verify whether SSL is being used. There is a cookie-secure attribute that can be set for the sessiond id cookie in the web.xml file.

Note: PCI DSS requirements state that sessions that are idle for 15 minutes should be locked automatically and require the user's password to unlock.

Problem Example

The following code shows the logout function of the LoginModuleused when relying on JAAS for authentication. The code removes all authentication tokens associated with the current session but fails to invalidate the session.

public boolean logout() throws LoginException{
      subject.getPrincipals().remove(userToken);

      clearCredentials();
      userToken = null;

      // The application should have invalidated the session here.

      // Log the logout event. Consult the Logging section for more details

      return true;
}

Solution Example

The following code shows the logout function of the LoginModuleused when relying on JAAS for authentication. The code removes all authentication tokens associated with the current session and invalidates the session.

public boolean logout() throws LoginException{
      subject.getPrincipals().remove(userToken);

      clearCredentials();
      userToken = null;

      // The application invalidates the session when
      // the user is logging out
      HttpSession session = common.getCurrentSession();
      session.invalidate();

      // Log the logout event. Consult the Logging section for more details

      return true;
}

Comments

Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics