SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Ryan Hall

Saved on

compared with

New Version 9

changes.mady.by.user Ryan Hall

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFcccc
private String login(HttpServletRequest request, HttpServletResponse response) {
        List<String> errors = new ArrayList<String>();
        request.setAttribute("errors", errors);
        
        String username = request.getParameter("username");
        String password = request.getParameter("password");
        
        // Basic input validation
        if(username.matches("[\\w]*")) errors.add("Incorrect user name format.");
        if(password.matches("[\\w]*")) errors.add("Incorrect password format.");
        
        if(errors.size() > 0) return "error.dojsp";
        
        UserBean dbUser = this.userDAO.lookup(username);
        if(!dbUser.checkPassword(password)) {
            errors.add("Passwords do not match.");
            return "error.dojsp";
        }
        
        Cookie userCookie = new Cookie("user", username); // Create a cookie that contains the username
        response.addCookie(userCookie); // Send the cookie information to the client
        
        return "welcome.dojsp";
}

Note that the above non compliant code example stores the user name within the cookie for authentication purposes. This particular code example is insecure because an attacker could possibly perform a cross-site scripting attack or sniff packets to find the user name within the cookie. If an attacker had the user name of a particular individual, they could forget their own cookie containing the user name and easily gain access to their account within the web application assuming that the application uses the cookie to identify a user.

...

Code Block
bgColor#ccccff
private String login(HttpServletRequest request, HttpServletResponse response) {
    	List<String> errors = new ArrayList<String>();
        request.setAttribute("errors", errors);

    	String username = request.getParameter("username");
    	String password = request.getParameter("password");

        // Basic input validation
    	if(username.matches("[\\w]*")) errors.add("Incorrect username format.");
    	if(password.matches("[\\w]*")) errors.add("Incorrect password format.");

    	if(errors.size() > 0) return "error.dojsp";

    	UserBean dbUser = this.userDAO.lookup(username);
    	if(!dbUser.checkPassword(password)) {
    		errors.add("Passwords do not match.");
    		return "error.do"jsp;
    	}

    	HttpSession session = request.getSession();
    	session.invalidate(); // Invalidate old session id
    	session = request.getSession(true); // Generate new session id
    	session.setMaxInactiveInterval(2*60*60); // Set session timeout to two hours
    	session.setAttribute("user", dbUser); // Store user bean within the session

    	return "welcome.dojsp";
}

In the above solution, we have switched from a cookie to a session to store user information. Additionally, the current session is invalidated and a new session is created in order to avoid session fixation attacks as noted by The Open Web Application Security Project (OWASP 2009). The timeout of the session has also been set to two hours to minimize the chance that an attacker can perform session hijacking attacks.

...