SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 30

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 31

changes.mady.by.user Ryan Hall

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFcccc
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.*;
import com.insecure.model.UserDAO;
import com.insecure.databeans.UserBean;

public class InsecureServlet extends HttpServlet {
  private UserDAO userDAO;

  // ...

  private String login(HttpServletRequest request, HttpServletResponse response) {
    List<String> errors = new ArrayList<String>();
    request.setAttribute("errors", errors);
        
    String username = request.getParameter("username");
    String password = request.getParameter("password");
        
    // Basic input validation
    if(!username.matches("[\\w]*") || !password.matches("[\\w]*")) {
      errors.add("Incorrect user name or password format.");
      return "error.jsp";
    }
      
    UserBean dbUser = this.userDAO.lookup(username);
    if(!dbUser.checkPassword(password)) {
      errors.add("Passwords do not match.");
      return "error.jsp";
    }
         
    // Create a cookie that contains the username
    Cookie userCookie = new Cookie("username", username);
    // Create a cookie that contains the usernamepassword
    Cookie passCookie = new Cookie("password", password);
    // CreatesSend athe cookie thatinformation containsto the passwordclient
    response.addCookie(userCookie); // Send the cookie information to the client
    response.addCookie(passCookie);

    return "welcome.jsp";
  }
}

...

Code Block
bgColor#ccccff
public class InsecureServlet extends HttpServlet {
  private UserDAO userDAO;

  // ...

  private String login(HttpServletRequest request, HttpServletResponse response) {
    List<String> errors = new ArrayList<String>();
    request.setAttribute("errors", errors);

    String username = request.getParameter("username");
    String password = request.getParameter("password");

    // Basic input validation
    if(!username.matches("[\\w]*") || !password.matches("[\\w]*")) {
      errors.add("Incorrect user name or password format.");
      return "error.jsp";
    }

    UserBean dbUser = this.userDAO.lookup(username);
    if(!dbUser.checkPassword(password)) {
      errors.add("Passwords do not match.");
      return "error.jsp";
    }

    HttpSession session = request.getSession();
    session.invalidate(); // Invalidate old session id
    session = request.getSessioninvalidate(true);
    // Generate new session id
    session = request.setMaxInactiveInterval(2*60*60getSession(true);
    // Set session timeout to twoone hourshour
    session.setAttribute("user", dbUsersetMaxInactiveInterval(60*60);
    // Store user bean within the session
    session.setAttribute("user", dbUser);

    return "welcome.jsp";
  }
}

Wiki Markup
This solution uses a session and not a cookie to store user information. Additionally, the current session is invalidated and a new session is created to avoid session fixation attacks as noted by The Open Web Application Security Project \[OWASP 2009\] .  The timeout of the session has also been set to twoone hourshour to minimize the window that an attacker has to perform any a session hijacking attack.

...