...
| Code Block | ||
|---|---|---|
| ||
private String login(HttpServletRequest request, HttpServletResponse response) {
List<String> errors = new ArrayList<String>();
request.setAttribute("errors", errors);
String username = request.getParameter("username");
String password = request.getParameter("password");
if(username.matches("[\\w]*")) errors.add("Incorrect username format.");
if(password.matches("[\\w]*")) errors.add("Incorrect password format.");
if(errors.size() > 0) return "error.do";
UserBean dbUser = this.userDAO.lookup(username);
if(!dbUser.checkPassword(password)) {
errors.add("Passwords do not match.");
return "error.do";
}
HttpSession session = request.getSession();
session.invalidate();
session = request.getSession(true);
session.setMaxInactiveInterval(2*60*60);
session.setAttribute("user", dbUser);
return "welcome.do";
}
|
In the above solution, we have switched from a cookie to a session to store user information. Additionally, the current session is invalidated and a new session is created in order to avoid session fixation attacks. The timeout of the session has also been set to two hours so that if an attacker were to gain access to the session id of a user, it is unlikely that they have much time to hijack the session.
Risk Assessment
Noncompliance may lead to sensitive information being stored within a cookie, which may be accessible via packet sniffing or cross-site scripting attacks.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO14-J | high | probable | medium | P12 | L1 |