Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Dynamic session cookie name

Hello all,

I am just reporting back on my issue with having multiple sessions in the same browser while wanting to use cookie-based session tracking instead of URL-based (for reasons of security).

I looked into the proposed solutions and found both quite unattractive. Hacking into the Jetty internals is not my ambition and rewriting seems too hard to get right in all circumstances.

I opted for a different approach and would like to hear if this is a good fix for security risks that come with URL-based session tracking.

I am still using URL-based sessions at the Jetty/Servlet level but have extended that with a cookie on the browser side. The name of the cookie equals the session id and the value is a UUID (or just any random secret with sufficient entropy) that was generated by the server at session creation and stored in a session attribute. A matching cookie is now required to allow a request associated with a session to be handled.

This was quite simple to add since our application server implements an application model where a session request handling object is registered as a session attribute. Requests are then handled by fetching the handler and dispatching the request to it. So the check can be enforced at one single point.

I would think this raises session security to a level similar to cookie based tracking but am curious what other people think.

Thanks in advance for all comments.

Cheers,

Silvio


On 12/09/2016 11:24 PM, Greg Wilkins wrote:

Silvio,

eitherway it is a bit of work.   To extend the SessionManager in 9.4, you need to change SessionHandler methods:
  • checkRequestedSessionId
  • getSessionCookie
  • getSessionIdPathParameterName
depending on the request params, which not all of them have access to.  You may need to set a thread local, but then you'll need to be wary of async stuff, so you may need to set that thread local in a ContextHandler ScopeListener as well.

RewriteHandler approach is pretty straight forward on the inbound side, as you can change the request however you want, but it is more complex on the outbound side to do he rewriting and change the cookies.   Maybe you need to wrap the response.

Hard to say which is the best approach without giving it a go and without knowing exactly all your concerns and motivations.

cheers



On 10 December 2016 at 01:45, Silvio Bierman <sbierman@xxxxxxxxxxxxxxxxxx> wrote:
Hello Christoph,

Since the sessions contain non-serializable state they are not suited for this type of clustering. Clustering is done at a different level in this system, not at the user session level.

The session concept fits fine. The only problem I have is that I need to have more than one at the same time in the same browser. Which is very easy when tracking sessions in the URL and very difficult tracking them with session cookies.

Cheers,

Silvio



On 12/09/2016 11:06 AM, Christoph Läubrich wrote:
BTW: Jetty supports Clustered Sessions with the JDBCSessionManager

But if the Session concept itself does not fit your needs, why don't you use a custom storage for this instead? You can even then store this in the (single) User-Session ;-)

Am 08.12.2016 13:42, schrieb Silvio Bierman:
Hello all,

I have an application that needs to explicitly spawn sessions for a user. The main reason is that it needs to either open multiple browser windows each accessing their own separate session or it redirects the user through different sessions. For several reasons this can not be retrofitted into a single session, one of which is that the sessions currently can reside on a different node in a sort-of-cluster (sticky).

Currently the applications uses URL-based session tracking. This works flawlessly but for security reasons I would like to change the session tracking mechanism. Since I can not spawn new sessions in a Jetty server while handling a request that already has a session associated with it (or can I?) I am thinking of the following scheme:

When I need a new session I create some kind of session-token and stuff that in the URL. Then that requests is handled by Jetty and I would like Jetty to attach a session to it tracking it with a session cookie. BUT: I want Jetty to use the session-token as the name of the session cookie. That means that I would need to hook the SessionManager to make the session cookie name dependent on the request.

Is this at all possible? Or are there better ways to do this?

Cheers and thanks in advance,

Silvio

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


Back to the top