Page 1 of 1

Session invalidation on LSPS Console login

Posted: Tue Jul 18, 2017 3:54 pm
by zbetz
LSPS version: 3.1.1019

A little background: We use a tool called Fortify Static Code Analyzer . It has reported a (false positive) finding of "session fixation" for the below file.

Code: Select all
\automation\automation-vaadin-war\src\main\webapp\login.jsp
.

The finding reports that "Authenticating a user without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions."

I tested this myself and confirmed that the session is indeed invalided upon login, i.e. a new JSESSIONID value is given upon login. I explained this to the fortify team, but they insist that I show them where it happens in the code. Since the Fortify finding is in the LSPS project code, was hoping you guys could help.

So, my question: where in LSPS code does the session get invalidated on the LSPS Console login? If possible, please give file name(s) and line number(s).

Much appreciated,
Zachary

Re: Session invalidation on LSPS Console login

Posted: Wed Jul 19, 2017 10:35 am
by Maria Jurcovicova
The session id after login is changed by your application server, so the answer should be in the release notes/documentation for that application server. Which application server and version do you use?

With regards,
Maria Jurcovicova

Re: Session invalidation on LSPS Console login

Posted: Wed Jul 19, 2017 4:43 pm
by zbetz
We use WebLogic 12.2.1. I'm looking through their documentation for using sessions and session persistence
https://docs.oracle.com/cd/E24329_01/web.1211/e21049/sessions.htm#WBAPP300

Re: Session invalidation on LSPS Console login

Posted: Thu Jul 20, 2017 9:30 am
by Maria Jurcovicova
According to Oracle Security Advisory BEA08-196.00 https://www.oracle.com/technetwork/topics/security/270-094986.html,
WebLogic was vulnerable to session fixation in versions 10.0 and lower. The problem was fixed in maintenance packs for those versions. It seems like 12.x did not had this vulnerability.

Hope that helps,
Maria Jurcovicova

Re: Session invalidation on LSPS Console login

Posted: Thu Jul 20, 2017 3:07 pm
by zbetz
This is what I needed. Thank you, Maria!