jsr340-experts@servlet-spec.java.net

[jsr340-experts] Re: Digest for list jsr340-experts@servlet-spec.java.net

From: Jeff Williams <jeff.williams_at_aspectsecurity.com>
Date: Tue, 10 Jul 2012 10:39:40 -0400

Session fixation is a minor problem in the big picture of web app
security. It gets only a trivial mention in the OWASP Top Ten and
generally doesn't show up in any surveys of application security
problems. The exploit generally requires physical access to the victim's
computer or a way to force a victim into using a particular sessionid.

Adding a method to allow developers to change the session id is good.
Even better would be if the session id rotation happens automatically
upon logon(). Then having a separate method for developers to force a
session id change is largely unnecessary (but probably useful for legacy
apps).

I'm not sure I understand why anyone would want to have a listener for
this event. Using the sessionid for anything other than the session is
an antipattern in my opinion. Having a listener might encourage this
and end up exposing the sessionid in new ways, undermining the purpose
of the method.

But as I mentioned last week, I'm concerned that we're not helping
developers out with the most important risks...

> At some point, the servlet team is going to have to start
> providing support to developers for protecting against
> web attacks. At least if we want people to use it for critical
> apps. XSS, CSRF, header injection, HPP, Clickjacking,
> open redirect/forward, sidejacking, URL rewriting, etc...
> they're all relatively easy to fix but nobody does.
> How about something that helps developers manage all
> the security-critical headers that have come out (X-Frame-
> Options, X-XSS-Protection, X-Download-Options, Strict-
> Transport-Security, etc...)

Is there interest here in addressing some of these issues? Or is this
the wrong forum?

--Jeff


-----Original Message-----
From: jsr340-experts-request_at_servlet-spec.java.net
[mailto:jsr340-experts-request_at_servlet-spec.java.net]
Sent: Tuesday, July 10, 2012 5:19 AM
To: jsr340-experts_at_servlet-spec.java.net
Subject: Digest for list jsr340-experts_at_servlet-spec.java.net

Table of contents:

1. [jsr340-experts] Re: Target Java version - Rajiv Mordani
<rajiv.mordani_at_oracle.com> 2. [jsr340-experts] Re: SERVLET_SPEC-13: Make
session fixation protection part of the spec - Shing Wai Chan
<shing.wai.chan_at_oracle.com> 3. [jsr340-experts] Re: SERVLET_SPEC-13:
Make session fixation protection part of the spec - Remy Maucherat
<rmaucher_at_redhat.com>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.