You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by Nagaraju Kurma <na...@enhancesys.com> on 2015/07/11 09:19:57 UTC

Session token in url

Hello Team,

As we know that this is one of the vulnerability challenges where we are
supposed to remove JSESSIONID from the url.

I observed that there is a possibility with the plain servlet api 3.x
version with the web.xml configuration which disables the JSESSIONID from
the url is

<session-config>
 <tracking-mode>COOKIE</tracking-mode>
</session-config>

But shiro will identify and reads the above configuration if and only if
shiro xml contains session manager configuration with the class
*<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.*
*ServletContainerSessionManager**">**</bean>*

But the limitations with above *class *are....

1) No session listeners configuration
2) No Session dao configuration
3) No Session validation scheduler configuration
4) No invalid session deletion configuration
...
...
etc

But removing session token from the url is possible with this.

To achieve all the above limitations i am using the following session
manager

*<bean id="sessionManager"
class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"></bean>*

But with this i unable to hide session token from the url as it doesnt read
web.xml configuration and context.xml...etc

Does anybody having any work around this or is there any other session
manger which will include both above 2 session managers functionality so
that i can achieve all the above limitations and the session token issue.

I am facing the issues with these insufficient configuration, Could anybody
please suggest the way forward..




-- 

Thanks & Regards

Nagaraju Kurma

Re: Session token in url

Posted by Nagaraju Kurma <na...@enhancesys.com>.

Hello Team,

After digging it into low level, Finally i have resolved this issue in very
simpler manner by writing custom DelegatingFilterProxy as follows.

CustomDelegatingFilterProxy .java
--------------------------------------------------

public class CustomDelegatingFilterProxy extends DelegatingFilterProxy{

@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
HttpServletRequest hRequest = ((HttpServletRequest)request);
HttpServletResponse hResponse = ((HttpServletResponse)response);
/*
 * This method functionality extended only to remove the JSESSIONID from
the url,
 * Ignore all requests,
 * Trap only the first request which is immediate after the session got
created.
 */
if(hRequest.getContextPath().equalsIgnoreCase(hRequest.getRequestURI())){
hResponse.sendRedirect(hRequest.getContextPath().concat("/user/login"));
return;
}else{
super.doFilter(request, response, filterChain);
}
}
}

web.xml
-----------

<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>com.package.CustomDelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>

The above code & the configuration made me to hide the jsession id from the
url on immediate of first request once the session got created.

I think the above code may helpful to you if you have the same Vulnerable
issue / requirement.

On Sat, Jul 11, 2015 at 12:49 PM, Nagaraju Kurma <
nagaraju.kurma@enhancesys.com> wrote:

> Hello Team,
>
> As we know that this is one of the vulnerability challenges where we are
> supposed to remove JSESSIONID from the url.
>
> I observed that there is a possibility with the plain servlet api 3.x
> version with the web.xml configuration which disables the JSESSIONID from
> the url is
>
> <session-config>
>  <tracking-mode>COOKIE</tracking-mode>
> </session-config>
>
> But shiro will identify and reads the above configuration if and only if
> shiro xml contains session manager configuration with the class
> *<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.*
> *ServletContainerSessionManager**">**</bean>*
>
> But the limitations with above *class *are....
>
> 1) No session listeners configuration
> 2) No Session dao configuration
> 3) No Session validation scheduler configuration
> 4) No invalid session deletion configuration
> ...
> ...
> etc
>
> But removing session token from the url is possible with this.
>
> To achieve all the above limitations i am using the following session
> manager
>
> *<bean id="sessionManager"
> class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"></bean>*
>
> But with this i unable to hide session token from the url as it doesnt
> read web.xml configuration and context.xml...etc
>
> Does anybody having any work around this or is there any other session
> manger which will include both above 2 session managers functionality so
> that i can achieve all the above limitations and the session token issue.
>
> I am facing the issues with these insufficient configuration, Could
> anybody please suggest the way forward..
>
>
>
>
> --
>
> Thanks & Regards
>
> Nagaraju Kurma
>

-- 

Thanks & Regards

Nagaraju Kurma