Session invalidation on LSPS Console login

[zbetz]

LSPS version: 3.1.1019

A little background: We use a tool called Fortify Static Code Analyzer . It has reported a (false positive) finding of "session fixation" for the below file.

Code: Select all

\automation\automation-vaadin-war\src\main\webapp\login.jsp

.

The finding reports that "Authenticating a user without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions."

I tested this myself and confirmed that the session is indeed invalided upon login, i.e. a new JSESSIONID value is given upon login. I explained this to the fortify team, but they insist that I show them where it happens in the code. Since the Fortify finding is in the LSPS project code, was hoping you guys could help.

So, my question: where in LSPS code does the session get invalidated on the LSPS Console login? If possible, please give file name(s) and line number(s).

Much appreciated,
Zachary

[Maria Jurcovicova]

The session id after login is changed by your application server, so the answer should be in the release notes/documentation for that application server. Which application server and version do you use?

With regards,
Maria Jurcovicova

[zbetz]

We use WebLogic 12.2.1. I'm looking through their documentation for using sessions and session persistence
https://docs.oracle.com/cd/E24329_01/web.1211/e21049/sessions.htm#WBAPP300

[Maria Jurcovicova]

According to Oracle Security Advisory BEA08-196.00 https://www.oracle.com/technetwork/topics/security/270-094986.html,
WebLogic was vulnerable to session fixation in versions 10.0 and lower. The problem was fixed in maintenance packs for those versions. It seems like 12.x did not had this vulnerability.

Hope that helps,
Maria Jurcovicova

[zbetz]

This is what I needed. Thank you, Maria!