You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Devendra Mani (JIRA)" <ji...@apache.org> on 2015/07/10 09:07:04 UTC
[jira] [Issue Comment Deleted] (SHIRO-170) Force New Session ID on
Authentication
[ https://issues.apache.org/jira/browse/SHIRO-170?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Devendra Mani updated SHIRO-170:
--------------------------------
Comment: was deleted
(was: package in.org.cris.oaew.common.shiro;
You need to override executeLogin only for "Force New Session ID on Authentication" example like:
import java.util.Collection;
import java.util.LinkedHashMap;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.DisabledAccountException;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class MyFormAuthenticationFilter extends FormAuthenticationFilter {
private static final Logger log = LoggerFactory.getLogger(MyFormAuthenticationFilter.class);
@Override
protected boolean executeLogin(final ServletRequest request, final ServletResponse response) throws Exception {
final AuthenticationToken token = createToken(request, response);
if (token == null)
{ String msg = "createToken method implementation returned null. A valid non-null AuthenticationToken " + "must be created in order to execute a login attempt."; throw new IllegalStateException(msg); }
try {
// Stop session fixation issues.
// https://issues.apache.org/jira/browse/SHIRO-170
final Subject subject = getSubject(request, response);
Session session = subject.getSession();
String old_id= (String) session.getId();
// Store the attributes so we can copy them to the new session after auth.
final LinkedHashMap<Object, Object> attributes = new LinkedHashMap<Object, Object>();
final Collection<Object> keys = session.getAttributeKeys();
for (Object key : keys) {
final Object value = session.getAttribute(key);
if (value != null)
{ attributes.put(key, value); }
}
session.stop();
subject.login(token);
// Restore the attributes.
session = subject.getSession();
log.debug("OWASP session fixation from " +old_id +" to "+ session.getId());
for (final Object key : attributes.keySet())
{ session.setAttribute(key, attributes.get(key)); }
return onLoginSuccess(token, subject, request, response);
} catch (AuthenticationException e)
{ return onLoginFailure(token, e, request, response); }
}
}
)
> Force New Session ID on Authentication
> --------------------------------------
>
> Key: SHIRO-170
> URL: https://issues.apache.org/jira/browse/SHIRO-170
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Configuration
> Affects Versions: 1.0.0, 1.1.0, 1.2.0
> Reporter: Jakob Külzer
> Priority: Minor
> Fix For: 1.3.0
>
>
> I am working on an application that has very high security standards. One of the issues raised after a full audit of the app is that it might be vulnerable for session fixation attacks. Shiro does not reset the Session ID after successful authentication, which would prevent this type of attack.
> IMHO this would add another level of security to Shiro beneficial for all kinds of applications.
> OWASP has a good page on session fixation attacks: http://www.owasp.org/index.php/Session_fixation
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)