It is possible to set the session ID to a previously issued value when accessing unauthenticated parts of the website. Upon successful authentication, the session ID is not invalidated and continues being used. This vulnerability is known as 'session fixation'.
Impact / Technical Details:
Failing to regenerate the session ID after authentication renders the application vulnerable to session fixation attacks. This attack consists in a user being coerced into using a chosen session ID determined by an attacker. Once the victim logs in to the system, the attacker can hijack this authenticated session by re-using the fixed session ID attached to the victim. Particularly, the tested application fails to reissue a new JSESSIONID cookie.
To prevent session fixation attacks, it is recommended that the application issues a new randomly generated session identifier when the user moves into the authenticated part of the website. For more information, please see article http://www.owasp.org/index.php/Top_10_2007-A7
We tried to set the parameter "token.per.request=true" what are described in Administration Manuals, but afterwe unable to use AdminUI. After login if we click to some button in menu, any page can not be opened.
QCCR1A116412 Security Compliancy in OMU Admin GUI(CSRF-protection)
we change parameter in security.properties from false to true:
and executed the
adminui start –clean
if we use token.per.request=true we able to login to Admin UI, but navigation is not possible. Any of Admin UI menu buttons causes: "This page can't be displayed" .
see attached picture:
1. Login to AdminUI
2. Click to HPOM button on top menu
3. Page can't be displayed
regarding this request, the mentioned QCCR1A116412 should be able to address that. If the AdminUI does not work with “token.per.request=true”, then that is a defect, and you can raise a support case.
Please be aware of the following:
Using “token.per.request=true” is tricky. Since a new token is created for every request, several things will not work:
- Using browser back button
- Using multiple tabs (an “old” tab will have an old ID and thus going back to that tab and trying to use it again will fail)
So, if there are security requirements that need this, you can use AdminUI only with one tab at a time and only forward navigation (using links and menues within the adminUI web page, no brower navigation). If even that doesn’t work, then that is a defect.
Please confirm the above.
Moderator, OpsBridge Idea Exchange