Session ID security
Hi all,
I have the following scenario. A user makes login using https into an administrative area of the webapp. Should I keep using
https in the rest of the pages of the administrative area (currently no)?.
Is it possible that other user could use the session id of the first user to get access to this area?.
Thanks in advance.
Also note that AOL can switch the client IP on the fly (or at least it used
to), so it's dangerous to assume the IP is constant for a client..
Peace,
Cameron Purdy
Tangosol, Inc.
Clustering Weblogic? You're either using Coherence, or you should be!
Download a Tangosol Coherence eval today at http://www.tangosol.com/
"Simon Nunn" <[email protected]> wrote in message
news:[email protected]..
> Bob,
>
> For 5.1, the session id does not contain the clients IP. Basically, WLS
> is generating a random session id.
>
> Thanks,
> Simon Nunn
> Developer Relations Engineer
> BEA Support
>
> Bob Lee wrote:
>
> > Is the session ID generated by WebLogic associated with the client's IP
> > address or something to prevent session hijacking?
> >
> > Thanks,
> > Bob
>
Similar Messages
-
Bsod Session "Microsoft Security Client OOBE" stopped due to the following error: 0xC000000D
I have a t540 with all hardawre and software updates running Win 7/64 pro and get this message repeatedly. Microsoft says to delete MSSEOOBE.etl but that file doesn't appear to be in the 64 bit version of Microsoft Security Essentials
If it happen when the PC is in SLEEP mode it causes an abnormal shutdown/recovery when the PC restarts Did uninstall and reinstall MSE
One MS thread says to contact the OEM - so here I am.
I was also getting Code 10 Disk Errors but there was a MS KB fix for that
Log Name: Microsoft-Windows-Kernel-EventTracing/Admin
Source: Microsoft-Windows-Kernel-EventTracing
Date: 5/29/2014 8:39:03 AM
Event ID: 3
Task Category: Session
Level: Error
Keywords: Session
User: SYSTEM
Computer: bill-THINK
Description:
Session "Microsoft Security Client OOBE" stopped due to the following error: 0xC000000D
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kernel-EventTracing" Guid="{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}" />
<EventID>3</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>2</Task>
<Opcode>14</Opcode>
<Keywords>0x8000000000000010</Keywords>
<TimeCreated SystemTime="2014-05-29T13:39:03.627614300Z" />
<EventRecordID>209</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="212" />
<Channel>Microsoft-Windows-Kernel-EventTracing/Admin</Channel>
<Computer>bill-THINK</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SessionName">Microsoft Security Client OOBE</Data>
<Data Name="FileName">C:\ProgramData\Microsoft\Microsoft Security Client\Support\EppOobe.etl</Data>
<Data Name="ErrorCode">3221225485</Data>
<Data Name="LoggingMode">5</Data>
</EventData>
</Event>
Any thoughts? I guess I will try another AntiVirus but Microsoft Security Essential is running on 2 other Win 7 laptops
ThanksHi,
Regarding the error messages mentioned here, have you checked the below thread?
Microsoft Security Client OOBE stopped
due to the following error: 0xC000000D
Please take a try with the methods suggested by the others above.
Best regards
Michael Shao
TechNet Community Support -
Session "Microsoft Security Essentials OOBE" stopped due to the following error: 0xC000000D using win 7 64bit over and over BSOD
My event viewer has been coughing the error line above. It has lead to the feeling of a Carotid Artery leak of memory where my whole
system slowly stops working till BSOD. Windows Explorer just stops working then Death.
I HAVE HAD THIS HAPPEN MORE AND MORE, AND IT APPEARS TO BE A PROGRAM PROBLEM, ANYBODY ELSE HAVE THIS.
IT HAS COST ME 2 DAYS WORK NOW.
MIKEHi,
When does the issue begin to occur?
Since Windows system uses separated user mode and kernel mode memory space, stop errors are usually caused by kernel portion components, such as a hardware device,
third-party drivers, backup software or anti-virus services (buggy services).
Please refer to the following steps to troubleshoot the issue.
1. Boot the computer in
Clean Boot for a test.
2. Temporarily disable all unnecessary hardware devices in Device Manager, such as Modem, sound card or external device.
For detail steps, we can refer to the link below:
Device Clean Boot
3. Upgrade the virus definition, run antivirus program and perform a full scanning.
If the issue persists, please upload the minidump file (%systemroot%\minidump) to SkyDrive (
www.skydrive.live.com ), then share the link to me. I will be glad to assist you to analysis the data.
Thanks,
Novak -
TLS Protocol Session Renegotiation Security Vunerability - RV220W
I have a 2013 Model Cisco RV220W.
The bank scans our system for security. The RV220W cannot pass the scan because it has "TLS Protocol Session Renegotiation Security Vunerability". This is due to it using open_ssl version 0.9.8e. To solve the problem open_ssl version 0.9.8L or higher MUST be installed. This security problem has been around since 2009 when it was discovered, long before this router was made.
I need CISCO to release a firmware upgrade higher than the current 1.0.5.8 that will incorporate open_ssl version 0.9.8L or higher.
Sincerely,
Du-Rron BurtonI found the vulnerability number CVE-2009-3555
If u have applied the latest Critical Patch Update, you should b fine.
Find more details here
http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 -
RV016 - TLS Protocol Session Renegotiation Security Vulnerability
My RV016 with firmware 3.0.2.01-tm has failed PCI compliancy testing with my credit card company. They have identified that a TLS Protocol Session Renegotiation Security Vulnerability exists. I see that I have the most recent firmware version for my router and have disabled PPTP server, but I cannot get it to pass. How do I disable this feature?
SteveI found the vulnerability number CVE-2009-3555
If u have applied the latest Critical Patch Update, you should b fine.
Find more details here
http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 -
A customer of mine asked me about session cookie security.
Questions are :
. session id randmoness
. session id length
. events producing session end (timeouts, navigation outside etc..)
. HTTP maximim header length
Could someone provide me informations/documentation about such questions ?
Tks
TullioAgain, you still did not mention if you are generalizing or speaking of a specific product and version. Since you posted your question in the "Forms" area, I guess we will assume you are referring to Forms. However, without the version information some of the info might vary. I guess in any case, you (or your customer) should try testing the product of choice as most Oracle products are free for download.
<br>
Session Id Length should be long at least 20 random characters" <br>
<blockquote><font color="blue">Here is an example of what is generated for Forms 10.1.2.3 (other versions may vary):<br>
<i>jsessionid=<b>9c1253bde83b0ed66ae9687525ef3536f960c8a0f40aa4fa14179b30656e1ea3</b></i><br>
</font></blockquote>
Http header should be less than 2100 characters<br>
<blockquote><font color="blue">This will likely depend on exactly which
product version is being used. Also, it will depend on exactly
which "header" information is being considered as part of the
count. For example, are you include all request and response
data. Are you including any of the body data? Also consider
that the host name and url parameters are part of these exchanges
too. So the total amount of characters in my environment would
likely differ from yours simply because of a difference in my host name
and parameters that I pass to call my app. In doing just a couple of
simple tests using a basic tool like ieHTTPheaders and run it against
Forms 10.1.2.3 on my local machine, I can see that the total can range
from around 1000 up into over 2000. So the exact header size is
something you would need to test based on the app and environment to
include the product version.</font><br>
</blockquote>
Session timout should be 15 minutes <br>
<blockquote><font color="blue">The concept of "session timeout" will
vary depending on what exactly we are talking about. There are
Forms sessions, db sessions, http sessions, java sessions, etc.
For the most part, all of these sessions times are configurable.
The only exception is the actually application itself. In other
words, Forms, by design is intended to be living. Meaning, it will
never die unless you kill it. You would need to program in to
your app exactly when you want its session to be destroyed. If you
wanted to destroy the app based on user inactivity, you would need to
use a Java Bean in order to perform a clean exit. Any other method
would result in an ugly termination. An example (unsupported
demo) of such a bean is available on OTN in the Forms download area.
As for the other session configurations, they are documented in the product docs.</font><br>
</blockquote>
<br> -
Please help me-it's urgent,maintaining session and security using cookies.
hi folks,
i presently developing a web site for an engineering colleege ,i am facing prob in maintaining the session using cookies,and destroying a cookie and keeping security to the user,There are four links on my webpage ,including a logout link,when i click the other links other than the logout,it works perfectly,and when i click the logout link,i am not able to disable the cookie and still able to visit previous pages by clicking the back button.please give a suggestion as such to disable the cokie and maintain the security for my web site.
Thank u....Try out this login if it helps you.
Create a bean that stores some String value. Then make a object of this bean using the useBean tag with session scope when a user logs in. Store the name of the user in the bean and also set the same name value in the Session object. Then on every JSP page compare the value set in the session object with the bean variable (which will be having a session scope). If the value match, then the JSP page output must be displayed to the user. Then on the logout link, invalidate the session object using the invalidate() method of the session class. As a result now when you will try to navigate back to the old JSP page, null will be returned to you when you will try to retrive the name value from the session object. And since this null will not match with the value in the bean, you should not proceed further with generating the output. Hope this help
Nirav ([email protected]) -
Keep sessions with Secure iNet factory (jScape)
I played around with JScapes demo of Secure iNet factory.
Does anyone know how too keep the session up for multiple https requests?
I have tried two approaches.
1. Use the HttpSession object to do all the work.
Https https = new Https()
HttpSession session = new HttpSession(https);
session.setAllowCookies(true);
response = session.getResponse(request);2. Do it manually by storing all incoming cookies in a map and rewrite them to the request before sending.
Neither work and the server changes session id during after a while.Hi esaglik, welcome to the forum,
the recovery cd (for booting) and dvd (recovery) you burned are for use when you are unable to recover from the service partition and will not work in conjunction with the lenovo care button. You need them should you e.g. put a new hard drive in your notebook.
As your Lenovo care button is working you should be able to recover from the service partition.
Andy ______________________________________
Please remember to come back and mark the post that you feel solved your question as the solution, it earns the member + points
Did you find a post helpfull? You can thank the member by clicking on the star to the left awarding them Kudos Please add your type, model number and OS to your signature, it helps to help you. Forum Search Option T430 2347-G7U W8 x64, Yoga 10 HD+, Tablet 1838-2BG, T61p 6460-67G W7 x64, T43p 2668-G2G XP, T23 2647-9LG XP, plus a few more. FYI Unsolicited Personal Messages will be ignored.
Deutsche Community Comunidad en Español English Community Русскоязычное Сообщество
PepperonI blog -
Session Fascade & security & transaction or is there a overhead using Local
Can anybody tell me what happens with security when using a Session Fascade ? I identify myelf to the Session Fascade, does it propagate the security information to e.g. an entity bean that is used within the Fascade ?
What happens when the Session Fascade starts a transaction ? Does the Entity Bean also start a transaction (RequiredNew) ?
I want to identify any possible existing overhead that occurs when using Local interfaces.
Thanx for any replies,
Max
Student of Business Informatics
Kepler University Linz, AustriaThis is what is meant by "container-managed". The container will manage the security when your session bean calls entity beans, etc. You configure that security via the deployment descriptors. The same goes for transactions if you use container managed. If you use bean managed transactions then you need to put the proper transaction code in your components.
-
TLS Protocol Session Renegotiation Security Vulnerability
Has anyone out there been trying to figure out a way to deal with this TLS vulnerability?
An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtmlI have updated the link.
This is a TLS/SSL vulnerability that is industry wide. it is a problem with the protocols themselves not the implementation. I am certain that it affects IronPort and have word that they are working on it.
I was hoping someone from IronPort would jump in and let us know what was going on, and when we would expect to see an update for the AsynchOS.
Thierry ZOLLER does a good job of explaining the issue at the below link.
http://www.g-sec.lu/practicaltls.pdf -
Session "Microsoft Security Client OOBE" stopped due to the following error: 0xC000000D
i keep getting this Event in my event viewer and dont know what to do. Could use any help
Hi,
Regarding the error messages mentioned here, have you checked the below thread?
Microsoft Security Client OOBE stopped
due to the following error: 0xC000000D
Please take a try with the methods suggested by the others above.
Best regards
Michael Shao
TechNet Community Support -
Hi friends,
I need to create session in java swing...
I have a client running in swing and can access resources in multi-threaded server. I need to validate user using session. But i don't know how to use session.
User has to login with username & password (authentication verified at server using socket communication).
If successful the login frame vanishes and other options are displayed. user has a feature that he can send files to other
user. so i need to use session for security purpose.
Anyone help me with code
Edited by: sathya_vn on Apr 20, 2008 5:41 PMAnyone help me with the code-----> u got tat wrong..
I need to know how to use session with java swing. I requested if anyone has such code....
This is a part of my project .
Am using MySQL Database to store username and password.
Cleint side interface has a frame (first frame--frame1) requesting client to provide login information. The login details <username and password> are sent to server. server validates whether the login info are correct or not and return true or false .
If false the frame1 will show a JOptionPane ... message stating that wrong username or password specified.
If true i need to create a session and other operations are done after session validation. I am using ssl socket.
If u want the code then i have post around 300 or more lines.. -
How to set User Name in session?
Can anyone tell me if there is an user name variable already stored in a session object to which I can assign the user's name? I usually do this by storing a variable in the session to hold that name. When I print the session object (I am using websphere) I get the following...You will notice that there is a user name field that has value anonymous....how can i change that to store the actual users name?
Thanks in advance,
jk.
Session Object Internals:
id : 1M12TXAPPYUZAJJJ4SS5IVY
hashCode : 586456410
create time : Sun Jun 30 15:17:38 MDT 2002
last access : Sun Jun 30 15:17:40 MDT 2002
max inactive interval : 1800
user name : anonymous
valid session : true
new session : false
session active : true
overflowed : false
session application parameters : com.ibm.servlet.personalization.sessiontracking.SessionApplicationParameters@385b1d5b
session tracking pmi app data : com.ibm.servlet.personalization.sessiontracking.SessionTrackingPMIApplicationData@38581d5b
enable pmi : true
non-serializable app specific session data : {}
serializable app specific session data : {}
session data list : Session Data List -> id : 1M12TXAPPYUZAJJJ4SS5IVY next : LRU prev : MRUok I did some more reading on the websphere literature and came to understand that the User Name indicated there was really set as part of an authenticated request from a secure page. And if the request was in an insecure page websphere automatically assigns "anonymous" to it.
Security integration rules for HTTP sessions
Sessions in unsecured pages are treated as accesses by "anonymous" users.
Sessions created in unsecured pages are created under the identity of that "anonymous" user.
Sessions in secured pages are treated as accesses by the authenticated user.
Sessions created in secured pages are created under the identity of the authenticated user. They can only be accessed in other secured pages by the same user. To protect these sessions from use by unauthorized users, they cannot be accessed from an insecure page. -
Policy Agent 2.2 /SJSAS 9.1 EE: security works sporadically
Hi,
Ive been having some trouble getting SSO working between my Sun Portal Server 7.1/Access Manager 7.1 running on my Solaris x86 machine and the Sun Application Server 9.1 EE with a Sun AM Policy Agent 2.2 on it. I'm deploying an Java EE app that uses Spring MVC. The application is protected with declarative security. Here is the web.xml and sun-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>util.ConfigPropertiesExposerListener</listener-class>
</listener>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>*.htm</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<security-constraint>
<display-name>All Users</display-name>
<web-resource-collection>
<web-resource-name>index</web-resource-name>
<description/>
<url-pattern>/index.htm</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description>All</description>
<role-name>USERS</role-name>
<role-name>ADMINISTRATORS</role-name>
</auth-constraint>
</security-constraint>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<filter>
<filter-name>Agent</filter-name>
<filter-class> com.sun.identity.agents.filter.AmAgentFilter </filter-class>
</filter>
<filter-mapping>
<filter-name>Agent</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<jsp-config>
<taglib>
<taglib-uri>/spring</taglib-uri>
<taglib-location>/WEB-INF/spring.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://jakarta.apache.org/taglibs/request-1.0</taglib-uri>
<taglib-location>/WEB-INF/request.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://www.springframework.org/tags/form</taglib-uri>
<taglib-location>/WEB-INF/spring-form.tld</taglib-location>
</taglib>
</jsp-config>
<security-constraint>
<display-name>Protected</display-name>
<web-resource-collection>
<web-resource-name>Salary Increase</web-resource-name>
<description/>
<url-pattern>/salaryincrease.htm</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description>Just Admins</description>
<role-name>ADMINISTRATORS</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>USERS</role-name>
</security-role>
<security-role>
<description/>
<role-name>ADMINISTRATORS</role-name>
</security-role>
<resource-ref>
<res-ref-name>jdbc/oracle</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
</web-app>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
<sun-web-app error-url="">
<context-root>/accesstest</context-root>
<class-loader delegate="true"/>
<security-role-mapping>
<role-name>ADMINISTRATORS</role-name>
<group-name>id=Administrators,ou=role,o=EnterpriseSample,ou=services,dc=domain,dc=com</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>USERS</role-name>
<group-name>id=Users,ou=role,o=EnterpriseSample,ou=services,dc=domain,dc=com</group-name>
</security-role-mapping>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
<session-config>
<session-manager/>
</session-config>
</sun-web-app>The two roles that I'm working with, Administrators and Users, I created for development purposes to test SSO against the Enterprise Sample.
So the problem is that sometimes SSO works and sometimes it doesn't. When I try to go to my app, sometimes it acts like it's suppose to: It redirects you to the AM login page, you login in, and then it redirects you back to the app. Most of the time, after I redeploy or restart the domain/instance, when I login the redirect back to my app returns an "access denied" page from app server.
Can anyone help me to debug this problem? How can I view what role my app is receiving from Access Manager after login? Where does the Security Audit Module log to? Will it help me debug this problem? There is not much in the documentation on it.
Any help would be appreciated.
-MattHi again MHGL and Sean,
Sorry I didnt explain this last time. My fault.
I looked at:
http://wikis.sun.com/display/OpenSSO/J2EEAgentTrouble#J2EEAgentTrouble-redirecterrors
This appears to be the issue you are talking about MHGL.
My deployment has the AM7.1/AS8.2 instance is on a different server than my Policy Agent 2.2/Spring App/AS8.2 instance. This bug talks about the AM and Agent on the same server.
I attempted both solutions, com.iplanet.am.cookie.encode=true and com.sun.identity.agents.config.sso.decode=false. They caused my request to redirect back and forth between both servers, ending with a page in Firefox that says "Firefox has detected that the server is redirecting the request for this address in a way that will never complete."
Sorry for the confusion. I appreciate all the help. Let me know if you have any other suggestions and Ill continue to update when things get resolved.
-Matt -
Internet Security when trading with online broker using airport
I like to day trade in my free time. I also travel a lot since I am active duty US military. Sometimes I'll be sitting in a hotel or a wi-fi spot trading using safari or a platform(app) and I have growing concerns for safety and security.
I am using a Macbook Pro I purchased in 2009, I always keep it updated. Is there anything else I should/could do to ensure the security and privacy of my accounts while using public wi-fi such as hotels and libraries. Even if I am trading from home!
Is the manufacturer firewall sufficient to prevent hacking?
I understand there's only so much I can do, but I would like to do as much as possible to ensure the security of my information such as passwords and account information.
I will be extremely grateful for any help!!! Thanks for reading friendsAs long as your trading sessions are encrypted (verified by the https in the URL and the lock icon at the top right of the Safari window or tab you're in), you're safe. But that doesn't mean the Wi-Fi session is secure. Even so, unless somebody has the means to decrypt your transaction, they can't get any information during your session.
Maybe you are looking for
-
How do I use a regular printer with my iPhone?
How do I use a regular printer with my iPhone?
-
Transfer Custom OM Infotype data through ALE for HRMD_ABA Message type
Hello Folks, I have created a Custom OM Infotype.When i run the PFAL transaction. All the standard infotype data is getting filled, but i dont see custom infotype data getting filled. Example: HRP9001 is the custom infotype. Please let me know the st
-
Adapter Engine URL missing in RWB
Hi All, In my newly configured PI 7.0 system, the Adapter Engine URL is missing at the fol. location: RWB -> Component Monitoring -> Adapter Engine -> Test Message. But when I open SXI_CACHE -> AE Cache, I am able to see the url http://pidev:50000/Me
-
So to get great performance in my app I have to set stage.quality to low. It works great on both iPad2 and iPad3 I have noticed however... on the iPad2 my startup image quality is very bad. However on the iPad3 the startup image is perfect. Why w
-
Just Lately I am having a problem with my netflix. It reads error Please make sure that your device has network connectivity and the date and time settings are accurate. I reseted my device uninstall app and then reapply everything again. When I go