SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 92

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 93

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For web applications, the most common mitigation to this problem is to provide the client with a cookie and store the sensitive information on the server. Cookies are created by a web server , and are stored for a period of time on the client. When the client re-connects to the server, it provides the cookie, which identifies the client to the server, and the server then provides the sensitive information.

Cookies do not protect sensitive information against cross-site scripting (XSS) attacks. An attacker who is able to obtain a cookie either through an XSS attack , or directly by attacking the client , can obtain the sensitive information from the server using the cookie. This risk is timeboxed if the server invalidates the session after a limited time has elapsed, such as 15 minutes.

 

A cookie is typically a short string. If it contains sensitive information, that information should be encrypted. Sensitive information includes user names, passwords, credit card numbers, social security numbers, and any other personally identifiable information about the user. For more details about managing passwords, see 13. Store passwords using a hash function. For more information about securing the memory that holds sensitive information, see 01. Limit the lifetime of sensitive data.

...

Code Block
bgColor#FFcccc
protected void doPost(HttpServletRequest request,
    HttpServletResponse response) {

  // Validate input (omitted)

  String String username = request.getParameter("username");
  char[] password = request.getParameter("password").toCharArray();
  boolean rememberMe = Boolean.valueOf(request.getParameter("rememberme"));
  
  LoginService loginService = new LoginServiceImpl();
        
  if (rememberMe) {
    if (request.getCookies()[0] != null && request.getCookies()[0].getValue() != null) {
      String[] value = request.getCookies()[0].getValue().split(";");
      
      if (!loginService.isUserValid(value[0], value[1].toCharArray())) {
        // Set error and return
      } else {
        // Forward to welcome page
      }
    } else {
        boolean validated = loginService.isUserValid(username, password);
      
        if (validated) {
          Cookie loginCookie = new Cookie("rememberme", username
                             + ";" + new String(password));
          response.addCookie(loginCookie);
          // ... forward to welcome page
        } else {
          // Set error and return
        }
     }
   } else {
     // No remember-me functionality selected
      // Proceed with regular authentication,;
     // if it fails set error and return
   }
    
  Arrays.fill(password, ' ');
}

However, the attempt to implement the remember-me functionality is insecure because an attacker with access to the client machine can obtain this informationdirectly information directly on the client. This code also violates 13. Store passwords using a hash function.

...

Code Block
bgColor#ccccff
protected void doPost(HttpServletRequest request,
    HttpServletResponse response) {
  
  // Validate input (omitted)

  String String username = request.getParameter("username");
  char[] password = request.getParameter("password").toCharArray();
  boolean rememberMe = Boolean.valueOf(request.getParameter("rememberme"));
  LoginService loginService = new LoginServiceImpl();
    boolean validated = false;
    if (rememberMe) {
      if (request.getCookies()[0] != null &&
          && request.getCookies()[0].getValue() != null) {
                             
        String[] value = request.getCookies()[0].getValue().split(";");
             
       if if(value.length != 2) {
          // Set error and return
        }
             
        if (!loginService.mappingExists(value[0], value[1])) { 
        // (username, random)
          // Set error and return
        }
      } else {
        validated = loginService.isUserValid(username, password);
                       
        if (!validated) {
          // Set error and return
        }
      }
        
     String newRandom = loginService.getRandomString();
     // Reset the random every time
     loginService.mapUserForRememberMe(username, newRandom);
     HttpSession session = request.getSession();
     session.invalidate();
     session = request.getSession(true);
     // Set session timeout to onefifteen hourminutes
     session.setMaxInactiveInterval(60 * 6015);
     // Store user attribute and a random attribute in session scope
     session.setAttribute("user", loginService.getUsername());
     Cookie loginCookie = 
      new Cookie("rememberme", username + ";"
                                      + newRandom);
     response.addCookie(loginCookie);
     // ... forward to welcome page
   } else {
    // No remember-me functionality selected
    // ... authenticate using isUserValid() and if failed, set error
   }
    Arrays.fill(password, ' ');
}

The server maintains a mapping between user names and secure random strings. When a user selects “Remember me,” the doPost() method checks whether the supplied cookie contains a valid user name and random string pair. If the mapping contains a matching pair, the server authenticates the user and forwards him or her to the welcome page. If not, the server returns an error to the client. If the user selects “Remember me” but the client fails to supply a valid cookie, the server requires the user to authenticate using his or her credentials. If the authentication is successful, the server issues a new cookie with remember-me characteristics.

...