Security in HttpSession [Discussion]

[mtz1406]

we use the HttpSession in our web applications.the most example of using the HttpSession is login procedure.If the user has been loged in the web application create new HttpSession in the system.This HttpSession has unique id.This id will store in that user browser as a cookie (there is another ways to store it).So if the user requests information again the web application check that "if this user has been loged in or not" by checking if the user has HttpSession id in his request.

I want to discuss with you about the security of this procedure.
let start with these questions:

1.If a hacker hack the user computer that has been logged in.And the hacker take the user cookie.can the hacker use it?why?how we solve this if yes?

2.Is there a relation between a HttpSession id and user IP.or the developer must store the user ip in the HttpSession manually?

3.suppose that the web application store the IP Address of the request in the HttpSession to check the next request is come from the same user or not.but the hacker that i took about in question #1 in the same local network (has the same IP address) .can the hacker success?why?how we solve this if yes?can we check the IP and the port?how?

4.can we know the mac address of the HttpRequest?how if yes?

5.I heard that "Some way to know the most site that users entered is fetching the users cookies".if this true how can a site fetch user cookies for another site.Is it a legal procedures or it is a bug in some browsers.

thank you.

[mtz1406]

6.some time we need to prevent a user that have tow different account from using they in the same time.for example:In a multiplayer game web application.

note:may that user use the same browser application or use tow different web browsers.

how we solve this problem?

[Nicholas Jordan]

Caveat Emptor ....

we use the HttpSession in our web applications.the most example of using the HttpSession is login procedure.If the user has been loged in the web application create new HttpSession in the system.This HttpSession has unique id.This id will store in that user browser as a cookie (there is another ways to store it).So if the user requests information again the web application check that "if this user has been loged in or not" by checking if the user has HttpSession id in his request.

Cookies are, in general, same as giving a cooking ( baked, actual cookie ) to whomever. Session ID tends to spread across several instances and request, over several hours. Any real session ID you will have to do yourself. The machinery is capable of generating good tools to do the work but the real avenue of intrusion is the human mind. If you have real data to protect, you may wish to examine multiple protection layers.

1.If a hacker hack the user computer that has been logged in.And the hacker take the user cookie.can the hacker use it?why?how we solve this if yes?

Depends on the skill level of the hacker. Can we solve this? No.

2.Is there a relation between a HttpSession id and user IP.or the developer must store the user ip in the HttpSession manually?

There is, but IPv4 was designed to be spoofable, IPv6 is working towards spoof-proof but there is just too much dust laying all around to be a solvable issue.

3.suppose that the web application store the IP Address of the request in the HttpSession to check the next request is come from the same user or not.but the hacker that i took about in question #1 in the same local network (has the same IP address) .can the hacker success?why?how we solve this if yes?can we check the IP and the port?how?

Throw everything you can find at the problem, then hide in fear in a deep hole with half a ton of munitions destroying anything that comes close....

Well, sort of. Anyone who has intrusion intent can at some time do some damage given enough time. Only solution is to assume something can be broken eventually and design multiple cross-locks such that an intruder will be detected before any real damage is done, then 'fire everybody' and change all the passwords, if you can get them to remember passwords.

Do not believe all that you read on the open web about security. Some of the stuff is written to encourage practices that make work for security workers when a simpler approach may do some good.

4.can we know the mac address of the HttpRequest?how if yes?

That is in general not the way Java does business. You could code some application side code that called JNI and do it in C/C++ but that requires you write both the server side and the client side. If it is bad enough to need MAC address you need to look for a job elsewhere.

5.I heard that "Some way to know the most site that users entered is fetching the users cookies".if this true how can a site fetch user cookies for another site.Is it a legal procedures or it is a bug in some browsers.

Not a legal ( Java's idea of legal ) procedure. There are ways to do it but the practice is STRONGLY discouraged in Java and even discussion of it will get you 'bad way' .... what exactly is it ( I mean is it valuable ) that you are trying to protect? If it is valuable, there are intruders who will work to gain destruction for no reason at all.

Best practices demand great study by you in this area. If you cannot do that, do not put anything of value where it can be busted.

[fishtoprecords]

1.If a hacker hack the user computer that has been logged in.And the hacker take the user cookie.can the hacker use it?why?how we solve this if yes?

Never trust any information from the user and the user's browser. Never.
Its OK to have a nonce in a cookie or sessionid.

But you must then lookup the nonce in your server and have an expiration time. Its unwise to have the expiration be longer than an hour or so.

2.Is there a relation between a HttpSession id and user IP.or the developer must store the user ip in the HttpSession manually?

Do you mean TCP/IP address of the user?
They are not constant. Users on many ISPs are assigned DHCP addresses, and they can and do change during your session

3.suppose that the web application store the IP Address of the request in the HttpSession to check the next request is come from the same user or not.but the hacker that i took about in question #1 in the same local network (has the same IP address) .can the hacker success?why?how we solve this if yes?can we check the IP and the port?how?

See above, this is not viable. Give it up, its a bad idea.

4.can we know the mac address of the HttpRequest?how if yes?

Usually not. the mac address is important to the low levels of the TCP/Ip stack, down in level 3. And application only has access to levels 6 and 7.

And, mac addresses are not really fixed. They can be flashed. its bad form to rely upon the mac address

5.I heard that "Some way to know the most site that users entered is fetching the users cookies".if this true how can a site fetch user cookies for another site.Is it a legal procedures or it is a bug in some browsers.

I don't know exactly what you are referring to. Cookies are usually well implented, but see response to #1, never trust anything from the user.

6.some time we need to prevent a user that have tow different account from using they in the same time.for example:In a multiplayer game web application.

So keep track of the user on your server. Store it in a database and check it. Its easy to implement. It won't work perfectly, but nothing that you are asking can be easily or perfectly as we would want.