Session invalidation on LSPS Console login

Topics related to the LSPS SDK and custom development of applications.
Forum rules
Make sure every topic contains information about your LSPS version and if relevant also your server OS, client OS, database name and version, and application server name and version.
zbetz
 
Posts: 3
Joined: Wed Jul 12, 2017 4:22 pm

Session invalidation on LSPS Console login

Tue Jul 18, 2017 3:54 pm

LSPS version: 3.1.1019

A little background: We use a tool called Fortify Static Code Analyzer . It has reported a (false positive) finding of "session fixation" for the below file.

Code: Select all
\automation\automation-vaadin-war\src\main\webapp\login.jsp
.

The finding reports that "Authenticating a user without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions."

I tested this myself and confirmed that the session is indeed invalided upon login, i.e. a new JSESSIONID value is given upon login. I explained this to the fortify team, but they insist that I show them where it happens in the code. Since the Fortify finding is in the LSPS project code, was hoping you guys could help.

So, my question: where in LSPS code does the session get invalidated on the LSPS Console login? If possible, please give file name(s) and line number(s).

Much appreciated,
Zachary

Maria Jurcovicova
 
Posts: 3
Joined: Tue Jan 24, 2017 10:29 am

Re: Session invalidation on LSPS Console login

Wed Jul 19, 2017 10:35 am

The session id after login is changed by your application server, so the answer should be in the release notes/documentation for that application server. Which application server and version do you use?

With regards,
Maria Jurcovicova

zbetz
 
Posts: 3
Joined: Wed Jul 12, 2017 4:22 pm

Re: Session invalidation on LSPS Console login

Wed Jul 19, 2017 4:43 pm

We use WebLogic 12.2.1. I'm looking through their documentation for using sessions and session persistence
https://docs.oracle.com/cd/E24329_01/web.1211/e21049/sessions.htm#WBAPP300

Maria Jurcovicova
 
Posts: 3
Joined: Tue Jan 24, 2017 10:29 am

Re: Session invalidation on LSPS Console login

Thu Jul 20, 2017 9:30 am

According to Oracle Security Advisory BEA08-196.00 https://www.oracle.com/technetwork/topics/security/270-094986.html,
WebLogic was vulnerable to session fixation in versions 10.0 and lower. The problem was fixed in maintenance packs for those versions. It seems like 12.x did not had this vulnerability.

Hope that helps,
Maria Jurcovicova

zbetz
 
Posts: 3
Joined: Wed Jul 12, 2017 4:22 pm

Re: Session invalidation on LSPS Console login

Thu Jul 20, 2017 3:07 pm

This is what I needed. Thank you, Maria!

Return to SDK

Who is online

Users browsing this forum: No registered users and 1 guest