Results 1 to 4 of 4
  1. #1
    mtz1406 is offline Member
    Join Date
    Aug 2008
    Location
    Riyadh - Saudi Arabia
    Posts
    15
    Rep Power
    0

    Default Security in HttpSession [Discussion]

    we use the HttpSession in our web applications.the most example of using the HttpSession is login procedure.If the user has been loged in the web application create new HttpSession in the system.This HttpSession has unique id.This id will store in that user browser as a cookie (there is another ways to store it).So if the user requests information again the web application check that "if this user has been loged in or not" by checking if the user has HttpSession id in his request.

    I want to discuss with you about the security of this procedure.
    let start with these questions:

    1.If a hacker hack the user computer that has been logged in.And the hacker take the user cookie.can the hacker use it?why?how we solve this if yes?

    2.Is there a relation between a HttpSession id and user IP.or the developer must store the user ip in the HttpSession manually?

    3.suppose that the web application store the IP Address of the request in the HttpSession to check the next request is come from the same user or not.but the hacker that i took about in question #1 in the same local network (has the same IP address) .can the hacker success?why?how we solve this if yes?can we check the IP and the port?how?

    4.can we know the mac address of the HttpRequest?how if yes?

    5.I heard that "Some way to know the most site that users entered is fetching the users cookies".if this true how can a site fetch user cookies for another site.Is it a legal procedures or it is a bug in some browsers.

    thank you.

  2. #2
    mtz1406 is offline Member
    Join Date
    Aug 2008
    Location
    Riyadh - Saudi Arabia
    Posts
    15
    Rep Power
    0

    Default another questions

    6.some time we need to prevent a user that have tow different account from using they in the same time.for example:In a multiplayer game web application.

    note:may that user use the same browser application or use tow different web browsers.

    how we solve this problem?

  3. #3
    Nicholas Jordan's Avatar
    Nicholas Jordan is offline Senior Member
    Join Date
    Jun 2008
    Location
    Southwest
    Posts
    1,018
    Rep Power
    8

    Exclamation various security issues

    Caveat Emptor ....
    Quote Originally Posted by mtz1406 View Post
    we use the HttpSession in our web applications.the most example of using the HttpSession is login procedure.If the user has been loged in the web application create new HttpSession in the system.This HttpSession has unique id.This id will store in that user browser as a cookie (there is another ways to store it).So if the user requests information again the web application check that "if this user has been loged in or not" by checking if the user has HttpSession id in his request.
    Cookies are, in general, same as giving a cooking ( baked, actual cookie ) to whomever. Session ID tends to spread across several instances and request, over several hours. Any real session ID you will have to do yourself. The machinery is capable of generating good tools to do the work but the real avenue of intrusion is the human mind. If you have real data to protect, you may wish to examine multiple protection layers.

    Quote Originally Posted by mtz1406 View Post
    1.If a hacker hack the user computer that has been logged in.And the hacker take the user cookie.can the hacker use it?why?how we solve this if yes?
    Depends on the skill level of the hacker. Can we solve this? No.

    Quote Originally Posted by mtz1406 View Post
    2.Is there a relation between a HttpSession id and user IP.or the developer must store the user ip in the HttpSession manually?
    There is, but IPv4 was designed to be spoofable, IPv6 is working towards spoof-proof but there is just too much dust laying all around to be a solvable issue.

    Quote Originally Posted by mtz1406 View Post
    3.suppose that the web application store the IP Address of the request in the HttpSession to check the next request is come from the same user or not.but the hacker that i took about in question #1 in the same local network (has the same IP address) .can the hacker success?why?how we solve this if yes?can we check the IP and the port?how?
    Throw everything you can find at the problem, then hide in fear in a deep hole with half a ton of munitions destroying anything that comes close....

    Well, sort of. Anyone who has intrusion intent can at some time do some damage given enough time. Only solution is to assume something can be broken eventually and design multiple cross-locks such that an intruder will be detected before any real damage is done, then 'fire everybody' and change all the passwords, if you can get them to remember passwords.

    Do not believe all that you read on the open web about security. Some of the stuff is written to encourage practices that make work for security workers when a simpler approach may do some good.

    Quote Originally Posted by mtz1406 View Post
    4.can we know the mac address of the HttpRequest?how if yes?
    That is in general not the way Java does business. You could code some application side code that called JNI and do it in C/C++ but that requires you write both the server side and the client side. If it is bad enough to need MAC address you need to look for a job elsewhere.

    Quote Originally Posted by mtz1406 View Post
    5.I heard that "Some way to know the most site that users entered is fetching the users cookies".if this true how can a site fetch user cookies for another site.Is it a legal procedures or it is a bug in some browsers.
    Not a legal ( Java's idea of legal ) procedure. There are ways to do it but the practice is STRONGLY discouraged in Java and even discussion of it will get you 'bad way' .... what exactly is it ( I mean is it valuable ) that you are trying to protect? If it is valuable, there are intruders who will work to gain destruction for no reason at all.

    Best practices demand great study by you in this area. If you cannot do that, do not put anything of value where it can be busted.
    Introduction to Programming Using Java.
    Cybercartography: A new theoretical construct proposed by D.R. Fraser Taylor

  4. #4
    fishtoprecords's Avatar
    fishtoprecords is offline Senior Member
    Join Date
    Jun 2008
    Posts
    571
    Rep Power
    7

    Default

    Quote Originally Posted by mtz1406 View Post
    1.If a hacker hack the user computer that has been logged in.And the hacker take the user cookie.can the hacker use it?why?how we solve this if yes?
    Never trust any information from the user and the user's browser. Never.
    Its OK to have a nonce in a cookie or sessionid.

    But you must then lookup the nonce in your server and have an expiration time. Its unwise to have the expiration be longer than an hour or so.

    Quote Originally Posted by mtz1406 View Post
    2.Is there a relation between a HttpSession id and user IP.or the developer must store the user ip in the HttpSession manually?
    Do you mean TCP/IP address of the user?
    They are not constant. Users on many ISPs are assigned DHCP addresses, and they can and do change during your session


    Quote Originally Posted by mtz1406 View Post
    3.suppose that the web application store the IP Address of the request in the HttpSession to check the next request is come from the same user or not.but the hacker that i took about in question #1 in the same local network (has the same IP address) .can the hacker success?why?how we solve this if yes?can we check the IP and the port?how?
    See above, this is not viable. Give it up, its a bad idea.


    Quote Originally Posted by mtz1406 View Post
    4.can we know the mac address of the HttpRequest?how if yes?
    Usually not. the mac address is important to the low levels of the TCP/Ip stack, down in level 3. And application only has access to levels 6 and 7.

    And, mac addresses are not really fixed. They can be flashed. its bad form to rely upon the mac address

    Quote Originally Posted by mtz1406 View Post
    5.I heard that "Some way to know the most site that users entered is fetching the users cookies".if this true how can a site fetch user cookies for another site.Is it a legal procedures or it is a bug in some browsers.
    I don't know exactly what you are referring to. Cookies are usually well implented, but see response to #1, never trust anything from the user.

    Quote Originally Posted by mtz1406 View Post
    6.some time we need to prevent a user that have tow different account from using they in the same time.for example:In a multiplayer game web application.
    So keep track of the user on your server. Store it in a database and check it. Its easy to implement. It won't work perfectly, but nothing that you are asking can be easily or perfectly as we would want.

Similar Threads

  1. Security
    By manticohd in forum Reviews / Advertising
    Replies: 1
    Last Post: 02-03-2010, 08:17 AM
  2. Creating Forum discussion using JAVA
    By cahyasuria84 in forum New To Java
    Replies: 2
    Last Post: 10-25-2008, 03:15 PM
  3. General Discussion on Abstract
    By sanjeevtarar in forum Advanced Java
    Replies: 15
    Last Post: 05-06-2008, 06:16 AM
  4. How to retrieve HttpSession from axis 2.0.
    By snooze-g in forum Advanced Java
    Replies: 0
    Last Post: 10-02-2007, 07:08 AM
  5. Replies: 1
    Last Post: 07-23-2007, 11:59 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •