You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Dmitry Gusev (Jira)" <ji...@apache.org> on 2021/05/17 08:59:00 UTC

[jira] [Commented] (SHIRO-170) Force New Session ID on Authentication

    [ https://issues.apache.org/jira/browse/SHIRO-170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17345981#comment-17345981 ] 

Dmitry Gusev commented on SHIRO-170:
------------------------------------

Just wanted to warn everybody who used above snippets for copying session attributes back after successful login.

Provided code examples has an error: they do not check if new principal is actually the same as the one before.

Without the check you may accidentally allow any valid login to join session of previous principal.

 

`subject.login(token)` stores token's principal in session attributes on successful login, and restoring previous attributes back will overwrite new principal with old one.

 

So make sure you only copy previous attributes back if you confirmed previous session was from the same principal.

 

It may also be bot a bad idea to add an extra check to not overwrite any attributes that already exist in the new session, as Shiro stores some other attributes in the session during login and they better be preserved.

> Force New Session ID on Authentication
> --------------------------------------
>
>                 Key: SHIRO-170
>                 URL: https://issues.apache.org/jira/browse/SHIRO-170
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authentication (log-in), Configuration
>    Affects Versions: 1.0.0, 1.1.0, 1.2.0
>            Reporter: Jakob Külzer
>            Priority: Minor
>             Fix For: 2.0.0
>
>
> I am working on an application that has very high security standards. One of the issues raised after a full audit of the app is that it might be vulnerable for session fixation attacks. Shiro does not reset the Session ID after successful authentication, which would prevent this type of attack. 
> IMHO this would add another level of security to Shiro beneficial for all kinds of applications. 
> OWASP has a good page on session fixation attacks: http://www.owasp.org/index.php/Session_fixation



--
This message was sent by Atlassian Jira
(v8.3.4#803005)