• Home
• org.codehaus.sonar-plugins.java
• java-checks
• 3.2
• source code
• S2254.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.java.rules.squid.S2254.html Maven / Gradle / Ivy

According to the Oracle Java API, the HttpServletRequest.getRequestedSessionId() method:

Returns the session ID specified by the client. This may not be the same as the ID of the current valid session for this request. If the client did not specify a session ID, this method returns null.

The session ID it returns is either transmitted in a cookie or a URL parameter so by definition, nothing prevents the end-user from manually updating the value of this session ID in the HTTP request. 
Here is an example of a updated HTTP header:
GET /pageSomeWhere HTTP/1.1
Host: webSite.com
User-Agent: Mozilla/5.0
Cookie: JSESSIONID=Hacked_Session_Value'''">

Due to the ability of the end-user to manually change the value, the session ID in the request should only be used by a servlet container (E.G. Tomcat or Jetty) to see if the value matches the ID of an an existing session. If it does not, the user should be considered  unauthenticated. Moreover, this session ID should never be logged to prevent hijacking of active sessions.
Noncompliant Code Example

if(isActiveSession(request.getRequestedSessionId()) ){
  ...
}

See


 OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
 Derived from FindSecBugs rule Untrusted Session Cookie Value