SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Ryan Hall

Saved on

compared with

New Version 6

changes.mady.by.user Ryan Hall

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFcccc
private String login(HttpServletRequest request, HttpServletResponse response) {
        List<String> errors = new ArrayList<String>();
        request.setAttribute("errors", errors);
        
        String username = request.getParameter("username");
        String password = request.getParameter("password");
        
        if(username.matches("[\\w]*")) errors.add("Incorrect user name format.");
        if(password.matches("[\\w]*")) errors.add("Incorrect password format.");
        
        if(errors.size() > 0) return "error.do";
        
        UserBean dbUser = this.userDAO.lookup(username);
        if(!dbUser.checkPassword(password)) {
            errors.add("Passwords do not match.");
            return "error.do";
        }
        
        Cookie userCookie = new Cookie("user", username); // Create a cookie that contains the username
        response.addCookie(userCookie); // Send the cookie information to the client
        
        return "welcome.do";
}

...

Code Block
bgColor#ccccff
private String login(HttpServletRequest request, HttpServletResponse response) {
    	List<String> errors = new ArrayList<String>();
        request.setAttribute("errors", errors);

    	String username = request.getParameter("username");
    	String password = request.getParameter("password");

    	if(username.matches("[\\w]*")) errors.add("Incorrect username format.");
    	if(password.matches("[\\w]*")) errors.add("Incorrect password format.");

    	if(errors.size() > 0) return "error.do";

    	UserBean dbUser = this.userDAO.lookup(username);
    	if(!dbUser.checkPassword(password)) {
    		errors.add("Passwords do not match.");
    		return "error.do";
    	}

    	HttpSession session = request.getSession();
    	session.invalidate(); // Invalidate old session id
    	session = request.getSession(true); // Generate new session id
    	session.setMaxInactiveInterval(2*60*60); // Set session timeout to two hours
    	session.setAttribute("user", dbUser); // Store user bean within the session

    	return "welcome.do";
}

In the above solution, we have switched from a cookie to a session to store user information. Additionally, the current session is invalidated and a new session is created in order to avoid session fixation attacks. The timeout of the session has also been set to two hours so to minimize the chance that if an attacker were to gain access to the session id of a user, it is unlikely that they have much time to hijack the sessioncan perform session hijacking attacks.

Risk Assessment

Noncompliance may lead to sensitive information being stored within a cookie, which may be accessible via packet sniffing or cross-site scripting attacks.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO14-J

high

probable

medium

P12

L1

Bibliography

Wiki Markup
\[OWASP 2009\] [{{Session Fixation in Java}}|http://www.owasp.org/index.php/Session_Fixation_in_Java]