Shulou(Shulou.com)06/01 Report--

Protect your session token

Usually we take the following measures to protect the conversation. 1. Using a strong algorithm to generate Session ID, as we analyzed with Web Scrab earlier, the session ID must be random and unpredictable. In general, the length of a session ID is at least 128 bits. Let's take the common application server Tomcat to illustrate how to configure the length and generation algorithm of the session ID. First we find {TOMCAT_HOME}\ conf\ context.xml, and then add the following paragraph to set ➊ to define the length of the session ID. If we don't declare it here, the default is 16 bytes. Some readers may wonder why the conversation ID I usually see is very long. Let's take the 20 bytes here, for example, when the browser sends a request, we will find a session like ID: JSESSIONID=90503B6BE403D4AB6164A311E167CF1F6F3F2BD0 will find that the length of ID is 40, because what is shown here is hexadecimal, with every two characters representing one byte. ➋ defines a random number algorithm. The default is SHA1PRNG, or you can switch to your own algorithm. ➌ defines a random number class, and the default is java.security.SecureRandom, or we can inherit this class to implement our own algorithm. One thing to note is that when we implement our own random number algorithm, we must make sure that there is no repetition in the generated Session ID. Here we refer to the mechanism of Tomcat implementation. / * Generate and return a new session identifier. * / protected () {StringgenerateSessionId String result = null; do {if (result! = null) {duplicates++;} result = sessionIdGenerator.generateSessionId ();} while (sessions.containsKey (result)); return result;} thus Tomcat will not produce two identical session ID. 2. session expiration is an important security control of the application, which defines how long the user maintains a login state without having to log back in. In general, there are two types of session expiration-soft session expiration (Soft Session Timeout) and hard session expiration (Hard Session Timeout). The soft session expires, which means that if the user does not interact with the application system for a certain period of time, the session expires. A simple example is that a user logs in to an application system and temporarily leaves the computer for 40 minutes, while the session expiration time set by the application system is 30 minutes, when the user returns to the computer to do anything. The system will redirect to the login page to allow the user to re-enter the user name and password. So what's the use of the expiration of a soft session? We know that one of the most basic assumptions in CSRF*** is that legitimate users are in a login state. If we set a reasonable and low session expiration time, it will make it more difficult to implement CSRF*** and protect the system. There are usually three ways to set soft session expiration, the level from high to low is: Tomcat level > Web application level > Servlet runtime context level, when the low-level setting overrides the high-level setting. Settings at the a.Tomcat level. If you need to set a 30-minute session expiration, you can set it in {TOMCAT_HOME}\ conf\ web.xml as follows: 30 b.Web application level setting. If you need to set a 15-minute session expiration, you can set it in {TOMCAT_HOME}\ webapps\ {APP_NAME}\ WEB-INF\ web.xml: 15 c. Set it in the program code. If you need to set a 5-minute session expiration in the program, you can do it with the following line of code: httpSession.setMaxInactiveInterval (5minutes 60); / / set in seconds if we follow the above steps to set the session expiration, then the last thing that really works is the 5 minutes set in the program. Let's see what hard session expiration is. It means that after the user logs in to the system for a certain period of time, the session expires no matter what the user does. Everyone knows the online game anti-addiction system, right? If the cumulative online time of a minor has reached 5 hours, the cumulative online time will be cleared, which is very similar to the expiration of the hard session we are talking about here, except that instead of clearing the online time, we force the user to log out and log in again. So what's the use of hard session expiration? It is mainly used to prevent permanent hijacking of an account. For example, a * * user gets the victim's session through XSS and uses it to log in as the victim. If we set the hard session expiration, the system will force the user to re-authenticate after a period of time. There is no specific API or configuration to set hard session expiration, but we can do this by writing our own code in web filter. The basic idea is as follows: record the time after each user has successfully logged in, and bind this time to their Session ID. If the time of the request sent by the same Session ID minus the time that the Session ID just logged in is greater than the session expiration time we set, the session will be invalidated and redirected to the login page. 3. There are two important attributes to protect your Cookie Cookie: secure and HttpOnly. Setting these two properties is very important to protect your Cookie. Let's start with the secure attribute. If it is declared, it means that the current Cookie is only transmitted in the link of the HTTPS, which makes it impossible for the user to easily obtain the session ID by analyzing the network traffic, thus effectively preventing the man in the middle (Man-in-the-Middle). The HttpOnly attribute, which we have introduced in the XSS chapter, does not allow some scripts (such as JavaScript, etc.) to directly manipulate [xss_clean] the DOM object, which is necessary to prevent session ID from being stolen through XSS. The good news is that Tomcat 7 supports Servlet 3.0, so we can set the above two properties in web.xml. True true should note that previous versions of Tomcat 6 do not support it, while Tomcat 6 supports Servlet 2.5. 4. Provide logout function what is described above is that the system automatically expires the session according to the set time, a good application should provide a function, that is, the user can manually expire the current session, which is the logout button we see on almost all websites. So what functions does a general logout need to accomplish? Let's take a look at how logout is implemented in ESAPI. Class: org.owasp.esapi.reference.DefaultUser public void logout () {ESAPI.httpUtilities (). KillCookie (ESAPI.currentRequest (), ESAPI.currentResponse (), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME); ➊ HttpSession session = ESAPI.currentRequest (). GetSession (false); if (session! = null) {removeSession (session); session.invalidate (); ➋} ESAPI.httpUtilities (). KillCookie (ESAPI.currentRequest (), ESAPI.currentResponse (), "JSESSIONID"); ➌ loggedIn = false The implementation code of logger.info (Logger.SECURITY_SUCCESS, "Logout successful"); ESAPI.authenticator (). SetCurrentUser (User.ANONYMOUS);} killCookie is as follows: public void killCookie (HttpServletRequest request, HttpServletResponse response, String name) {String path = "/ /"; String domain= ""; Cookie cookie = getFirstCookie (request, name); if (cookie! = null) {path = cookie.getPath (); domain= cookie.getDomain ();} Cookie deleter = new Cookie (name, "deleted"); deleter.setMaxAge (0) ➍ if (domain! = null) deleter.setDomain (domain); if (path! = null) deleter.setPath (path); response.addCookie (deleter);} Let's briefly analyze the above code: the role of ➊ is to remove the Cookie of remember me, which is for the website to have remember. ➋ invalidates the current session, so that even if the current session ID is leaked, the user cannot log in with the session ID. The function of ➌ is to clear the Cookie of JSESSIONID. ➍ invalidates deleter (with the same name as the passed Cookie) immediately. This article is excerpted from "Web Application Security threat and Prevention-- based on OWASP Top 10 and ESAPI"

Published by Wang Wenjun Li Jianmeng Electronic Industry Publishing House

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.