J2EE session variables & Non Random Session IDs
Our server keeps failing our PCI compliance test due to the Session ID's being non random.
Description: Web Server Uses Non Random Session IDs Synopsis: The remote web server generates predictable session IDs. Impact: The remote web server generates a session ID for each connection. A session ID is typically used to keep track of the actions of a user while he visits a web site. The remote server generates non-random session IDs. An attacker might use this flaw to guess the session IDs of other users and therefore steal their session. See also : http://pdos.csail.mit.edu/cookies/seq_sessionid.html Data Received: Sending several requests gives us the following session IDs : CFID=896744 CFID=896745 CFID=896746 CFID=896747 CFID=896748 Resolution: Configure the remote site and CGIs so as to use random session IDs. Risk Factor: Medium/ CVSS2 Base Score: 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N
We are using J2EE session variables which I though was the more secure option. Is there something else you have to do to guarentee that the Session ID's are non random or is this the Compliance test picking up on a false positive?
P.S. It's a recent migration to CF10, don't know if that has anything to do with it.
Personally, I use the client scope instead of the session scope so that I don't have to worry about sticky sessions. That has always worked out nicely for me.
I read that article you referenced, and it's got some interesting stuff. In particular, I have seen the client scope database tables not purge as they're supposed to. And the stuff about preparing, executing, and then unpreparing SQL statements on each request is alarming, if true.
However, I have to say that I have never, ever, ever, ever had performance issues due to client variables. Not once. Whatever performance hit my application may incur from using client variables has, to this point, been completely dwarfed by the performance of the application itself. And, c'mon, the stuff about being lazy because you don't want to spend precious engineering time worrying about something like session management (which is never going to add value to your product) rather than coding something actually useful to your end users...that seems overly harsh to me.
I completely agree that storing client vars in the Windows Registry is bananas, as is the defualt 90 day purge limit (though as of CF 9.0.whatever, the default is 1 day, 7 hours, so clearly they've made some changes since this article was written). But I'm loathe to throw away client-based management.
I think, getting back to the issue at hand, that this may be a false positive. CFID is sequential, but CFTOKEN is not; that should really be the end of the story. I'll see if McAfee will listen. (-;
Similar Messages
-
hi, i have been trying to use session variables in my app. I
have enabled the session variables in the cf admin, and in the
application.cfc.
However when i try to run my app it says session is invalid.
The session doesnt even start. I get this error everytime unless i
turn off the j2ee session variables. I have checked both the j2ee
and and session timeouts. the session is set at 30 and the j2ee
timeout is set to 66.
I have read the coldfiusion documentationand feel that i
would like to use j2ee session.
i am using this in a single site andon the developers
edition. Cany anyone help me understand why this error is occuring
and how i can get around it
i would appreciate any help
thanksI would first make sure you have the latest
patches/update/hot fixes.
The 'session is invalid' is/was a known problem.
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=tn_17883
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=aae43964
Perhaps you simply need to apply the appropriate update.
Good luck! -
CFID and CFTOKEN still set when using J2EE sessions
I'm using CF10 and "Use J2EE session variables" is selected in the CF admin.
When I visit an application, I get the JSESSIONID cookie, but I also get the CFID and CFTOKEN persistent cookies. The app I'm working with is older and uses Application.cfm instead of Application.cfc, but the clientmanagement and setclientcookies application attributes are set to false.
I'm not sure why CFID and CFTOKEN are still set. Are they set regardless of the client and session management settings?cherdt
There are ways to force the CF create cookies SESSION simply change the cfcookie to be a session cookie and tag you find these two links:
http://www.bennadel.com/blog/1131-ask-ben-ending-coldfusion-session-when-user-closes-brows er.htm
http://www.johnwbartlett.com/cf_tipsntricks/index.cfm?TopicID=75
BKBK
I agree with his statement and is so even though the documentation says. -
dear all ,
Any knows how to invalidate the session ids .
Ex . Server maintains maintains many client session ids
I want invalidate those client session ids ,,,'There are several cases when a session is invalidated:
1. when the time specified in web.xml elapsed (session-timeout tag) - this is specified for the entire server
2. when using session.setMaxInactiveInterval. specs:
"Specifies the time, in seconds, between client requests before the servlet container will invalidate this session."
3. when you call session.invalidate() specs: " Invalidates this session then unbinds any objects bound to it." With this, the session is immediately invalidated. -
ALC-UPG-221-002: Errors while migrating archive session Ids.
I am doing an out of place upgrade from ES2 to ES4. I have run the Turnkey ES4 upgrade, installed SP1, copied the GDS from the old location to the new location and run Configuration Manager. When I get to the "Perform
critical tasks before component deployment" screen and click the Start button I get this error:
10:07] ALC-UPG-002-505: Disabling UserManager synchronization.
[10:07] ALC-UPG-001-501: Executing [Application Manager] plugin ...
[10:07] ALC-UPG-001-503: [Application Manager] plugin execution failed, error message from plugin is [ALC-UPG-221-002: Errors while migrating archive session Ids.]. See LCM logs for details.
[10:07] ALC-UPG-002-506: Enabling UserManager synchronization.
The LCM log has this:
[2014-08-06 10:32:58,555], INFO, AWT-EventQueue-0, com.adobe.livecycle.upgrade.gui.UpgradePhaseDialog, ALC-UPG-002-505: Disabling UserManager synchronization.
[2014-08-06 10:32:58,560], INFO, Thread-32, com.adobe.livecycle.lcm.feature.lcServer.LCServerConnector, LC Connection properties: {DSC_DEFAULT_SOAP_ENDPOINT=http://localhost:8080, DSC_TRANSPORT_PROTOCOL=SOAP, DSC_CREDENTIAL_PASSWORD=********, DSC_REQUEST_TIMEOUT=1200000, DSC_CREDENTIAL_USERNAME=administrator, }
[2014-08-06 10:32:58,560], INFO, Thread-32, com.adobe.livecycle.lcm.feature.lcServer.LCServerConnector, Validating connection...
[2014-08-06 10:32:59,961], SEVERE, Thread-32, com.adobe.livecycle.upgrade.control.PhaseRunner, Aborting. Invocation of method [configurePreDeploy] failed for com.adobe.livecycle.upgrade.plugins.from9xto100.applicationmanager.Upgrade9xTo100Applicat ionManagerPlugin. Caught com.adobe.livecycle.upgrade.UpgradeException, message: ALC-UPG-221-002: Errors while migrating archive session Ids.
com.adobe.livecycle.upgrade.UpgradeException: ALC-UPG-221-002: Errors while migrating archive session Ids.
at com.adobe.livecycle.upgrade.plugins.from9xto100.applicationmanager.Upgrade9xTo100Applicat ionManagerPlugin.configurePreDeploy(Upgrade9xTo100ApplicationManagerPlugin.java:110)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.adobe.livecycle.upgrade.control.PhaseRunner.run(PhaseRunner.java:244)
at java.lang.Thread.run(Thread.java:724)
[2014-08-06 10:33:01,763], INFO, AWT-EventQueue-0, com.adobe.livecycle.upgrade.gui.UpgradePhaseDialog, ALC-UPG-002-506: Enabling UserManager synchronization.
Nothing tells what the errors are.Dear Pallavi,
Very useful post!
I am looking for similar accelerators for
Software Inventory Accelerator
Hardware Inventory Accelerator
Interfaces Inventory
Customization Assessment Accelerator
Sizing Tool
Which helps us to come up with the relevant Bill of Matetials for every area mentioned above, and the ones which I dont know...
Request help on such accelerators... Any clues?
Any reply, help is highly appreciated.
Regards
Manish Madhav -
List all active login sessions IDs
Hi,
I want to enumrate all active login sessions for session IDs. I found some api SessionGetInfo which gives current user
session ID. and getutmpxent which gives process id of (as i understand id of process creating session) all sessions. I
want to map pid to session id. or is there any other way to list the session IDs of all logged in users.
Thanks.Hi Nagendra,
You can get the informamtion through one more option also. In case of function module you need to execute the module again and again for each user or may be need to write a report. I would like to suggest you an alternative. That is making use of queries.
1. Go to transaction SQVI.
2. In the input field Quick View give the any name for query for example Z_EMAIL_ADD.
3. Choose create option. In the resulting pop up give description in Title field. In data source choose TABLE JOIN. Select Basis mode.
4. In the next screen choose INSERT TABLE pushbutton and in the pop up give USR21. Then again choose INSERT TABLE pushbutton and this time give ADR6.
5. Now go back using back arrow or F3.
6. Now in the new screen you will be under the tab strip List fld select.. From that entries under available filed (on right hand side) select User name in user master record and the first entry for Internet mail (SMTP) address. Now using single arrow pushbutton poitning towards left move these fields to tabstrip List fld select.
7. Now go to tabstrip selection filed. As done in step 6 move User name in user master record under it.
8. Save the changes and go back. A pop up will come asking you to save quick view Z_EMAIL_ADD. Choose yes.
9. Now execute the query. In the input field you can give one user or multiple users at a given time.
Regards,
Rajesh -
I've tried finding an answer and it seems simple enough but I was wondering if anybody could help with the following:
-It might help that what I have in mind is creating a staging table that stores a session id and a couple other columns. A final procedure is called in the end that takes the data from the staging table and inserts into another based on the session id and another column and deletes it from the staging table. I'm a little concerned that that if an error occurs in one the prior procedures that data will not be cleaned up. My thought was to create a shell script that ran every so often that will remove any entries deemed to be over a certain time limit. However, it got me thinking about sessions ids and if it is possible that a session id could be used again. It would cause a problem if the there was an error and the script hadn't run yet and the session id was reused again. Therefore my questions below.
Are Session IDs unique?
Are Session IDs reused?
If so, is there a general rule of thumb of how frequently they could be used again?
Any help would be appreciated.
ThanksFirst, what, exactly do you mean by "Session ID"?
If you mean SID (from v$session), yes, SIDs are reused all the time. The combination of SID and SERIAL# from V$SESSION is generally unique enough. It will be reused, but on a much longer time scale.
If you mean SYS_CONTEXT('USERENV','SESSIONID'), the auditing session identifier, that should be unique assuming it is populated (it is not populated for SYS sessions, for example).
If you mean something else, you'll have to be a bit more specific.
Justin -
Predictable Cookie Session IDs
I am running CF8 with all the lates hot-fixes and for the past couple of mints I have not had any issues with PCI. Yesterday - I failed with a "Predictable Cookie Session ID" remark. I do have Use UUID as CFToken checked as well as Use J2EE Session Vars. What and I missing?
based on what OWASP has to say
OWASP says
"Best practice calls for J2EE session management. In the
event that only ColdFusion session management is available, strong
security identifiers must be used. Enable this setting to change
the default 8-character CFToken security token string to a UUID.
http://www.owasp.org/index.php/Configuration"
It looks like the J2EE sessions are the way to go.
I believe the reason for the PCI flag is that the scan (at
least the one from the service we use) was looking at CFID alone. I
assume this because cftoken -was- set to use uuid so it should have
been secure. The scan probably doesn't know that cfid and cftoken
are used in conjunction. So in a way this is a false positive.
Based on the new standards coming in it is enough to be out of
compliance.
solution to be in compliance is to set clientmanagement="no"
and setclientcookies="no" in application.cfm so that cfid and
cftoken are not set at all By using only the jsessionid, you are
following best practices from OWASP and also get the benefits of
session end on browser close
Other thoughts still welcome -
Hi,
How do I store the session ids of the stateful session beans.Their type is void.How can I persist them in the local database?
Regards
BhavanaHI
GOOD
GO THROUGH THIS LINK,I HOPE THIS WILL GIVE YOU SOME IDEA TO SOLVE YOUR PROBLEM
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/56fbae90-0201-0010-518d-a256d833508e
http://wendtstud1.hpi.uni-potsdam.de/sysmod-seminar/SS2005/elaborations/02_Clustering-Concept_of_the_SAP_web_AS.pdf
http://www.ssw.uni-linz.ac.at/Teaching/Lectures/SpezialLVA/Loeffler/SS2005/j2ee_introduction_and_practice.pdf
THANKS
MRUTYUN -
IPhone randomly starts playlist in non-random mode
I've been having a weird problem with my iPhone 4 for a while now and am wondering if anyone has seen the same behavior.
Periodically I will resume playback of one of my smart playlists and notice that the iPhone is playing the music in non-random mode, I will hear one song after another from the same artist. If I display the playback status then I can see that random mode is in fact selected.
Toggling random off and back on fixes the problem.
It's possible that this is in some way related to using a number of different car kits (I have several different vehicles) but I'm not really sure of this.
Is this a known bug?
I actually had my iPhone completely swapped out not too long ago and the problem came over to the new one, so I know the hardware is not the problem.
Message was edited by: jmpage2
Message was edited by: jmpage21. I have not had this happen to me as of yet, but I would say turn match off and then back on or you can do a hard reset to see if that fixes it. the last option I would take is to restore from a backup, and that should fix it.
2.I have not seen this happen either. Again, I would say do a hard reset and see if the problem persists. If it persists then delete the sluggish app and redownload it from the app store and see if that fixes the problem.
3. I have found that itunes seems to be sluggish a little with match on. they defininely need to give it an update. Lets all hope for a new itunes this year. I don't think there is a fix for this.
4. Don't have the answer for this either. I know itunes really sorts by artist and most of the time if I don't intentially put the album artist in then itunes does not do it for me.
5. Album artwork does kinda come and go, but if you have it attached to the music file then it's just a glitch that will get fixed as apple contiunes to issue updates and fixes for these common problems and yes artwork is a common problme just look through the threads and you will see it come up very frequently.
Hope I helped. -
Convertion of class variable (static) into instance variable(non-static)!
Dear all,
got a slight different question.
Is that possible to convert class variable (static) into instance variable(non-static)?
If so, how to make the conversion?
Appreciating your replies :)
Take care all,
Leslie V
http://www.googlestepper.blogspot.com
http://www.scrollnroll.blogspot.comJavaDriver wrote:
Anything TBD w.r.to pass by value/reference (without removing 'static' keyword)?Besides the use of acronyms in ways that don't make much sense there are two other large problems with this "sentence".
1) Java NEVER passes by reference. ALWAYS pass by value.
2) How parameters are passed has exactly zero to do with static.
Which all means you have a fundamentally broken understanding of how Java works at all.
Am I asking something apart from this?
Thanks for your reply!
Leslie VWhat you're asking is where to find the tutorials because you're lost. Okay. Here you go [http://java.sun.com/docs/books/tutorial/java/index.html]
And also for the love of god read this [http://www.javaranch.com/campfire/StoryPassBy.jsp] There is NO excuse for not knowing pass-by in Java in this day and age other than sheer laziness. -
How can i get list of Session Ids or SessionObjects present in appl server
hi,
i want to explicitly kill the sessions of the logged in persons from an application server instead of we waiting for the server to invalidate them once their time is out.
can i get the list of all the session object avaliable in the sever at that perticular moment?
regards
sowjanyaHi!
1.getIds() in javax.servlet.http.HttpSessionContext
can be used but it is Deprecated.
2.getIds() in javax.net.ssl.SSLSessionContext
Returns an Enumeration of all session id's (you cant use this in this case)
also in weblogic(BEA)change request No: CRS 45879 and 47878:
supports methods like:
public static boolean invalidateAll(HttpServletRequest req);
check out there.
Thanks,
Ramu -
Session ids blocking themselves
theres a scenario where in a session id is blocking itself. the wait type is latch_ex - access_method_database_parent
I am capturing the queries and will work on optimizing them however am looking for possible reasons for this.
Environment
Windows server 2008 sp2, SQL Server 2008 R2 ent sp1, CPU=32 , RAM 32
Server level MAXDOP=0 tried changing it to 16 but the problem persists.
Thanks, Ahmad Osama www.ahmadosama.net http://www.sqlservergeeks.com/people/AhmadOsamaWhen an SPID is waiting for an I/O page latch, you may notice that the
blocked column briefly reports that the SPID is blocking itself. This behavior is a side effect of the way that latches are used for I/O operations on data pages. When a thread issues an I/O request, the SPID that issues the I/O request acquires a
latch on the page. All SQL Server 2000 I/O operations are asynchronous. Therefore, the SPID will try to acquire another latch on the same page if the SPID that issued the I/O request must wait for the request to finish. This second latch is blocked by the
first latch. Therefore, the blocked column reports that the SPID is blocking itself. When the I/O request finishes, the first latch is released. Then, the second latch request is granted.
Y'know, maybe I have seen this but not recently, I think I may have seen this in the 2005-2008 era when some of these behaviors were new. That is I noticed them, I guess they're probably still occurring but these days, any block that clears itself
within a second or two has not been my highest priority! Self-deadlocks, that's a whole other thing!
This may be enough answer for OP - parallel plan, threads fighting over a common page but not really, just queueing up for it. 20-30% CPU is nothing to worry about even as a constant, it's CERTAINLY nothing to worry about if the average is lower and
30% is the peak!
Though if that kind of thing *is* the cause, and the condition lasts for more than a second, I'd be curious just what the query is doing! Maybe a whole bunch of child rows being changed with foreign keys to the same parent?
Josh
As I said .. I don't think its related to data pages ...
http://www.sqlskills.com/blogs/paul/most-common-latch-classes-and-what-they-mean/
http://www.sqlservercentral.com/Forums/Topic969963-360-1.aspx
Thanks, Ahmad Osama www.ahmadosama.net http://www.sqlservergeeks.com/people/AhmadOsama -
How to track session IDs for multiple apps in same server instance?
All:
We have 2 web applications (for example: app1,app2) running in one app
server instance (weblogic 5.1). Both of those applications use the same
cookie name (defined in weblogic.properties ) to keep the HttpSessionID.
The tricky thing is that if a client logs in to app1 and then logs in to
app2 with the same web browser, (for example, IE). The app1's
HttpSessionID kept in the cookie will be overwritten by app2's
HttpSessionID because they use the same cookie name.
My question is this:
Is there a way to specify a cookie name for each application running in
an application server instance?
The only way we know of to work around the problem is that we have to
host the app1 and app2 in 2 different app server instances so we can
config app1 and app2 to use different cookie names for the
HttpSessionID. We are curious if there is a better way to do that.
BTW, We must use Cookie because of the requirement of cluster and load
balancer.
Thanks,
BenHi Ben,
Which version of Weblogic are you using??
In 5.1 sp8 the Cookie names of the Web Apps are different by default.
Prasad Peddada <[email protected]> wrote:
Why can't you add your own cookie?
In 6.0 you can have different cookie names for different
apps.
-- Prasad
"Benjamin D. Engelsma" wrote:
All:
We have 2 web applications (for example: app1,app2)running in one app
server instance (weblogic 5.1). Both of those applicationsuse the same
cookie name (defined in weblogic.properties ) to keepthe HttpSessionID.
The tricky thing is that if a client logs in to app1and then logs in to
app2 with the same web browser, (for example, IE). The app1's
HttpSessionID kept in the cookie will be overwrittenby app2's
HttpSessionID because they use the same cookie name.
My question is this:
Is there a way to specify a cookie name for each applicationrunning in
an application server instance?
The only way we know of to work around the problem isthat we have to
host the app1 and app2 in 2 different app server instancesso we can
config app1 and app2 to use different cookie names forthe
HttpSessionID. We are curious if there is a better wayto do that.
BTW, We must use Cookie because of the requirement ofcluster and load
balancer.
Thanks,
Ben -
Unique Session IDs in Appserver 7.0 ?
Is the sessionid generated in Appserver 7.0 Standard Edition Globally unique ?
Is it possible for sessionids generated by 2 different installations of appserver 7.0 to be same ?
Is it possible for sessionids generated by 2 different instances of one installation to be same ?
Anyone knows what the sessionids are made of (algorithm ? ).
Thanks
dcsit_techieit is evident that your jdk is not installed properly
jar and native2ascii are required for successful install
make sure these utilities installed properly
and reinstall ID server
Maybe you are looking for
-
99 items in service entry sheet
Hello, Concerning the transfer of shipment cost items to MM / FI. This is what's described in notes notes 333656 and 198678: If you transfer more than 99 account assignment lines to MM, than more than one service entry sheet will be created. Why this
-
LR 4.1 RC 2 opening DNGs in Photoshop
I am getting really frustrated as all of a sudden Lightroom has started opening the original DNG files for editing in Photoshop (CS5) instead of creating a TIFF file and editing that. I have checked all my settings and it still specifies TIFF as the
-
Program to delete a specific request from a Cube
Hi Everyone, I've been trying to delete a certain DTP request from a cube but I'm unable to delete it. Is there any ABAP program to delete a specific request from a cube by provinfing requeset ID as the input. Thanks, Ram
-
hi, i want to know what should be the right detail on oracle 10g rac nodes if i type $ifconfig -a command on each node . i want to know what entry should be on each node in rac scenario in multiple nodes. regards
-
Getting Problem with Information Templates
Hi OAF Guys I created Information Template and i assign it to the Category. When I select that category in iProcurement, it is asking Information Template data when click on Add to Cart and i Fill the data and i saved it. Its working fine. and we wan