0

Forward with Parameters but without using the Session

asked 2019-02-12 23:36:33 +0800

MJacob gravatar image MJacob
1

Hi everyone,

Hope someone has an Idea.
What I need:
Check if a certain session attribute is set when trying to authenticate:

Sessions.getCurrent().getAttribute(...);

By doing this a new session is created. If the attribute is not set, the authentication is checked and needs to be saved into a new session. It must be a new session to retrieve a new session ID, otherwise the app would be vulnarable to session token fixation attacks.
Now I can't invalidate the session, get a new one and then set the authentication because

Sessions.getCurrent().invalidate();
Sessions.getCurrent(true).setAttribute(...);

Will not destroy the session until the last request is completed, hence getCurrent() will give me the "old" session which at this point in time is still valid.
My idea was to send a forward afterwords with the necessary attributes in the URL to save them in the other method to the session, in which I would have access to the new session. However, I'm getting an IllegalStateException:

java.lang.IllegalStateException: Use sendRedirect instead when processing user's request

Any ideas on how to solve this scenario?
Thanks in advance! MJ.

delete flag offensive retag edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-02-13 12:41:10 +0800

cor3000 gravatar image cor3000
4466 2 7
ZK Team

I am not a security expert so please check for yourself (and with your security team) whether the code below fulfills your particular requirements. It merely tries to demonstrate how the native session and request objects can be used to conditionally invalidate a session, set/check an attribute and forward the request if needed.

For this scenario I'd suggest a lower level of abstraction and work with the native HttpSession and HttpServletRequest objects directly, e.g. in a servlet filter.

This catches potential manipulation attempts at an earlier stage in the request processing (and makes you independent of the frame work used).

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import java.io.IOException;

public class CheckCertainAttributeFilter implements Filter {

    public static final String CERTAIN_SESSION_ATTRIBUTE = "certain-session-attribute";
    public static final String MY_EXPECTED_VALUE = "my-expected-value";

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, 
            FilterChain chain) throws IOException, ServletException {
        final HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        final HttpSession session = httpServletRequest.getSession();

        //session present, check for certain session attribute value
        if (session != null) { 
            final String certainSessionAttributeValue = 
                    (String) session.getAttribute(CERTAIN_SESSION_ATTRIBUTE);
            if (!MY_EXPECTED_VALUE.equals(certainSessionAttributeValue)) {
                session.invalidate();
                HttpSession newSession = ((HttpServletRequest) request).getSession(true);
                newSession.setAttribute(CERTAIN_SESSION_ATTRIBUTE, MY_EXPECTED_VALUE);
                request.getRequestDispatcher("/login.zul").forward(request, response);
            }
        }
        chain.doFilter(request, response);
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException { }

    @Override
    public void destroy() { }
}

Then configure the filter in your web.xml

<filter>
    <filter-name>checkCertainAttribute</filter-name>
    <filter-class>CheckCertainAttributeFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>checkCertainAttribute</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

After that each request will be forwarded to the login.zul page, unless the expected value is present in the session attribute.

link publish delete flag offensive edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow
2 followers

RSS

Stats

Asked: 2019-02-12 23:36:33 +0800

Seen: 5 times

Last updated: Feb 13

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More