6 Replies Latest reply: Jul 10, 2008 1:15 AM by PaKo RSS

    How to hide JSESSIONID in first-page Url?

    PaKo
      Hi!

      Is it possible to hide JSESSIONID in url of first accessed page in application?

      (In non-SSL config,copying this param allows any client to gain access to server session, which is previously authenticated, and thus avoid JAAS authentication. This is very unpleasant OC4J behavior. Other platforms are using "hidden" session identification mechanisms which are not much more intrusion-proof but are less obvious to end-users .)

      Kind regards for any tip,
      Pavle
        • 1. Re: How to hide JSESSIONID in first-page Url?
          577207
          Hi,

          Please can you state the version and which page do you refer?

          Anyway you might review; Oracle Metalink Document: How To Disable JSESSIONID from displaying in Status Bar: Doc ID: Note:421526.1

          https://metalink.oracle.com/metalink/plsql/f?p=130:14:284226020920862049::::p14_database_id,p14_docid,p14_show_header,p14_show_help,p14_black_frame,p14_font:NOT,421526.1,1,1,1,helvetica

          Adith
          • 2. Re: How to hide JSESSIONID in first-page Url?
            PaKo
            Hi Adith!

            Thank you very much for your response.

            I'm using OC4J 11g (embedded in JDev 11g TP4), but I think it is a same issue with 10g.

            The problem is that it is possible to skipp JAAS authentication if you:
            1. copy jsessionid from first page
            2. login
            3. close browser
            4. after some time, open browser again
            5. type url for some protected content in you web app and append jsessionid you copied in step 1.

            I know it is a only "normal" way to solve this by using SSL/Https. But, MS.Net is using a "hidden" cookie from the beginning (not as OC4J showing the sessionid in first page url) so the users are not aware of this security breach (even it exists anyhow!).

            Regards,

            Pavle
            • 3. Re: How to hide JSESSIONID in first-page Url?
              Steve Button-Oracle
              Hi PaKo

              Let me see if I can get this straight.

              You are saying that when you first access a page/app that establishes a session, the JSESSIONID parameter is displayed in the URL of the browser?

              The default behaviour for OC4J should be to employ cookies to store the jsessionid value -- so it's not directly visible in the browser window.

              This behaviour is modified in two ways:

              1. The browser itself is not configured to not enable cookies and as such, the application is using the encodeURL method to force the use of a URL parameter to store the jsessionid.

              2. The OC4J container is configured specifically to not use cookies using a setting in the application's orion-web.xml file or its set globally in the j2ee/home/config/global-web-application.xml file.

              The description of this is here:

              http://download.oracle.com/docs/cd/B25221_04/web.1013/b14426/sessions.htm#CHDDBEAA

              Please note that I'm not saying what you are seeing is not true, but I'd like to understand the specifics of what you are doing to see this.

              -steve-
              • 4. Re: How to hide JSESSIONID in first-page Url?
                PaKo
                Hi Steve!

                Yes, you got it right.

                In the first page, if the page is not protected so the redirect to JAAS login is not performed, jsessionid is visible in url. The behavior is on JDev 11g TP4 with both JSF and ADFc controllers. After first page, jsessionid is removed form url, so cookie-bases session is enabled. But, if jsessionid is provided in url for some other page, the session is identified by supplied jsessionid even cookie is different.

                I read somewhere that this is some "automatic" cookie-support detection by OC4J (which is checking if the url jsessionid is same as cookie – if not, then OC4J considers cookies are not supported on client browser). Is there any way to force OC4J to use only cookie-bases session identification?

                Regards,

                Pavle
                • 5. Re: How to hide JSESSIONID in first-page Url?
                  Steve Button-Oracle
                  Hi Steve!

                  Yes, you got it right.

                  In the first page, if the page is not protected so
                  the redirect to JAAS login is not performed,
                  jsessionid is visible in url.
                  The behavior is on JDev
                  11g TP4 with both JSF and ADFc controllers. After
                  first page, jsessionid is removed form url, so
                  cookie-bases session is enabled.
                  But, if jsessionid
                  is provided in url for some other page, the session
                  is identified by supplied jsessionid even cookie is
                  different.

                  I read somewhere that this is some "automatic"
                  cookie-support detection by OC4J (which is checking
                  if the url jsessionid is same as cookie – if not,
                  then OC4J considers cookies are not supported on
                  client browser). Is there any way to force OC4J to
                  use only cookie-bases session identification?

                  Regards,

                  Pavle
                  gday Pavle --

                  I did some testing on this yesterday with a straight JSP/Servlet based, session enabled application and I observed this happening for the very, very first request of a brand new browser process. As soon as you go to the second page, the jsessionid is removed from the URL. Logging out of the application and logging back in, using the same browser process doesn't result in the jsessionid appearing again.

                  On the automatic cookie detection -- yes the container can determine if cookies are supported. If they are not, then it will use the url + jsessionid approach IFF the application has used the response.encodeURL() method on any links it presents in the application. If the application has not used the encodeURL method, then it won't work correctly. We don't do any auto encoding of URLs -- the application has to do it, and then we'll use it if cookies are disabled.

                  I tried it with Firefox, Opera and even Internet Exploder and the same behaviour occurs.

                  I'll look into it some more and post a bug if one needs to be entered. If I do, I'll let you know the bug number so that if you need a patch, you can log a support tar and reference the bug.

                  -steve-
                  • 6. Re: How to hide JSESSIONID in first-page Url?
                    PaKo
                    Hi Steve!

                    Thank you for update.

                    I would still consider it a bug. There is no reason that very first request is treated differently than the following. Also, as I pointed out, later inclusion of jsessionid in url of some subsequent request associates the request to injected jsessionid even if the browser cookie is present with different jsessionid. This way, it is possible to override cookie with url provided jsessionid, which is very disputable behavior from security/privacy protection point of view. Thus, I would suggest to modify this behavior in order that url-provided jsessionid cannot override cookie.

                    Please, investigate this issue further and keep us informed.

                    Kind regards,

                    Pavle