28 May 2012 14:52
[jira] [Commented] (SHIRO-170) Force New Session ID on Authentication
[
https://issues.apache.org/jira/browse/SHIRO-170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13284391#comment-13284391
]
Luke Biddell commented on SHIRO-170:
------------------------------------
+1 voting for this in the next release.
In the meantime I have hacked up the suggested fix by Les. I already have my own AuthenticationFilter so I've
rather cheekily overriden executeLogin and done this...
<at> Override
protected boolean executeLogin(final ServletRequest request, final ServletResponse response)
throws Exception {
final AuthenticationToken token = createToken(request, response);
if (token == null) {
String msg = "createToken method implementation returned null. A valid non-null AuthenticationToken "
+ "must be created in order to execute a login attempt.";
throw new IllegalStateException(msg);
}
try {
// Stop session fixation issues.
// https://issues.apache.org/jira/browse/SHIRO-170
final Subject subject = getSubject(request, response);
Session session = subject.getSession();
// Store the attributes so we can copy them to the new session after auth.
final LinkedHashMap<Object, Object> attributes = new LinkedHashMap<Object, Object>();
final Collection<Object> keys = session.getAttributeKeys();
for (Object key : keys) {
final Object value = session.getAttribute(key);
if (value != null) {
attributes.put(key, value);
}
}
session.stop();
subject.login(token);
// Restore the attributes.
session = subject.getSession();
for (final Object key : attributes.keySet()) {
session.setAttribute(key, attributes.get(key));
}
return onLoginSuccess(token, subject, request, response);
} catch (AuthenticationException e) {
return onLoginFailure(token, e, request, response);
}
}
Not ideal, but WFM right now.
> Force New Session ID on Authentication
> --------------------------------------
>
> Key: SHIRO-170
> URL: https://issues.apache.org/jira/browse/SHIRO-170
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Configuration
> Affects Versions: 1.0.0, 1.1.0, 1.2.0
> Reporter: Jakob Külzer
> Priority: Minor
> Fix For: 1.3.0
>
>
> I am working on an application that has very high security standards. One of the issues raised after a full
audit of the app is that it might be vulnerable for session fixation attacks. Shiro does not reset the
Session ID after successful authentication, which would prevent this type of attack.
> IMHO this would add another level of security to Shiro beneficial for all kinds of applications.
> OWASP has a good page on session fixation attacks: http://www.owasp.org/index.php/Session_fixation
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
RSS Feed