hirondelle.web4j.security
Class SuppressUnwantedSessions

Object
  hirondelle.web4j.security.SuppressUnwantedSessions

All Implemented Interfaces:

Filter

public class SuppressUnwantedSessions
extends Object
implements Filter

Suppress the creation of unwanted sessions.

Using this filter means that browsers must have cookies enabled. Some users believe that disabling cookies protects them. For web applications, this seems unadvisable since its replacement -- URL rewriting -- has a much higher security risk. URL rewriting is dangerous since it is a vector for session hijacking and session fixation.

This class can be used only when form-based login is used. When form-based login is used, the generation of the initial JSESSIONID cookie is done only once per session, by the container. This filter helps you enforce the policy that form-based login should be the only time a session cookie is generated.

Superfluous sessions and session ids represent a security risk. Here, the following approach is taken:

• during form-based login, the container sends a session cookie to the browser
• at no other time does the web application itself send a JSESSIONID, either in a cookie or in a rewritten URL
• upon logoff, the web application instructs the browser to delete the JSESSIONID cookie

Note how the container and the web application work together to manage the JSESSIONID cookie.

It's unfortunate that the Servlet API and Java Server Pages make it a bit too easy to create new sessions. To circumvent that, this filter uses custom wrappers for the underlying HTTP request and response. These wrappers alter the implementations of the following methods related to creating sessions :

• HttpServletRequest.getSession()
• HttpServletRequest.getSession(boolean)
• HttpServletResponse.encodeRedirectURL(java.lang.String)
• HttpServletResponse.encodeRedirectURL(java.lang.String)
• HttpServletResponse.encodeRedirectUrl(java.lang.String)
• HttpServletResponse.encodeURL(java.lang.String)
• HttpServletResponse.encodeUrl(java.lang.String)

Calls to the getSession methods are in effect all coerced to getSession(false). Since this doesn't affect the form-based login mechanism, the user will still receive a JSESSIONID cookie during form-based login. This policy ensures that your code cannot mistakenly create a superfluous session.

The encodeXXX methods are no-operations, and simply return the given String unchanged. This policy in effect disables URL rewriting. URL rewriting is a security risk since it allows session ids to appear in simple links, which are subject to session hijacking.

As a convenience, this class will also detect sessions that do not have a user login, and will log such occurrences as a warning.

Constructor Summary

SuppressUnwantedSessions()

Method Summary

void	destroy() This implementation does nothing.
void	doFilter(ServletRequest aRequest, ServletResponse aResponse, FilterChain aChain)
void	init(FilterConfig aFilterConfig) This implementation does nothing.

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SuppressUnwantedSessions

public SuppressUnwantedSessions()

Method Detail

doFilter

public void doFilter(ServletRequest aRequest,
                     ServletResponse aResponse,
                     FilterChain aChain)
              throws IOException,
                     ServletException

Specified by:

doFilter in interface Filter

Throws:

IOException

ServletException

init

public void init(FilterConfig aFilterConfig)

This implementation does nothing.

Specified by:

init in interface Filter

destroy

public void destroy()

This implementation does nothing.

Specified by:

destroy in interface Filter