|
![]() |
||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
Objecthirondelle.web4j.security.SuppressUnwantedSessions
public class SuppressUnwantedSessions
Suppress the creation of unwanted sessions.
Using this filter means that browsers must have cookies enabled. Some users believe that disabling cookies protects them. For web applications, this seems unadvisable since its replacement -- URL rewriting -- has a much higher security risk. URL rewriting is dangerous since it is a vector for session hijacking and session fixation.
This class can be used only when form-based login is used. When form-based login is used, the generation of the initial JSESSIONID cookie is done only once per session, by the container. This filter helps you enforce the policy that form-based login should be the only time a session cookie is generated.
Superfluous sessions and session ids represent a security risk. Here, the following approach is taken:
Note how the container and the web application work together to manage the JSESSIONID cookie.
It's unfortunate that the Servlet API and Java Server Pages make it a bit too easy to create new sessions. To circumvent that, this filter uses custom wrappers for the underlying HTTP request and response. These wrappers alter the implementations of the following methods related to creating sessions :
HttpServletRequest.getSession()
HttpServletRequest.getSession(boolean)
HttpServletResponse.encodeRedirectURL(java.lang.String)
HttpServletResponse.encodeRedirectURL(java.lang.String)
HttpServletResponse.encodeRedirectUrl(java.lang.String)
HttpServletResponse.encodeURL(java.lang.String)
HttpServletResponse.encodeUrl(java.lang.String)
The encodeXXX methods are no-operations, and simply return the given String unchanged. This policy in effect disables URL rewriting. URL rewriting is a security risk since it allows session ids to appear in simple links, which are subject to session hijacking.
As a convenience, this class will also detect sessions that do not have a user login, and will log such occurrences as a warning.
Constructor Summary | |
---|---|
SuppressUnwantedSessions()
|
Method Summary | |
---|---|
void |
destroy()
This implementation does nothing. |
void |
doFilter(ServletRequest aRequest,
ServletResponse aResponse,
FilterChain aChain)
|
void |
init(FilterConfig aFilterConfig)
This implementation does nothing. |
Methods inherited from class Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public SuppressUnwantedSessions()
Method Detail |
---|
public void doFilter(ServletRequest aRequest, ServletResponse aResponse, FilterChain aChain) throws IOException, ServletException
doFilter
in interface Filter
IOException
ServletException
public void init(FilterConfig aFilterConfig)
init
in interface Filter
public void destroy()
destroy
in interface Filter
|
![]() |
||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |