Java EE 6/7 Session Security

I was testing some additional functionality that is available for security on Java EE 6 and EE 7 platforms. One item that is extremely important for all developers is avoiding Cross-Site Scripting (XSS) issues. This can normally be handled very easily by adding http-onlyto your web.xml configuration.

?

1 2 3 4 5 6

<session-config>     <session-timeout>30</session-timeout>     <cookie-config>         <http-only>true</http-only>     </cookie-config> </session-config>

This works on most application servers. More on that later.
Additionally, you may will likely only want to set the JSESSIONID to be a cookie to prevent the cookie information being placed in the URL. This is accomplished by adding tracking-mode to to your web.xml configuration.

?

1 2 3 4 5 6 7

<session-config>     <session-timeout>30</session-timeout>     <cookie-config>         <http-only>true</http-only>     </cookie-config>     <tracking-mode>COOKIE</tracking-mode> </session-config>

This is again a common sense approach that has been mentioned in a number of publications, and articles. However, this simple EE 6 configuration did not work for me on IBM WebSphere. There is a security mechanism called "Programmatic session cookie configuration" that prevents the JSESSIONID cookie from being modified. I found that I could re-name the JSESSIONID for the application in the web.xml to get around this restriction. Here is my new configuration with a nod to the NSA:

?

1 2 3 4 5 6 7 8

<session-config>     <session-timeout>30</session-timeout>     <cookie-config>         <name>NSA-JSESSIONID</name>         <http-only>true</http-only>     </cookie-config>     <tracking-mode>COOKIE</tracking-mode> </session-config>

When I made the changes, everything worked as expected, but I wanted to make sure when my session is invalidated that I clean up my "NSA" tracks. So I created a new logout method for my JSF based application.

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

private static final String COOKIE_NAME = "NSA-JSESSIONID";   public String invalidate() {        FacesContext fc = FacesContext.getCurrentInstance();        ExternalContext ec = fc.getExternalContext();        Map<String, Object> cookieMap = ec.getRequestCookieMap();          if (cookieMap.containsKey(COOKIE_NAME)) {            Cookie c = (Cookie) cookieMap.get(COOKIE_NAME);            c.setMaxAge(0);            System.out.println(MessageFormat.format("setMaxAge(0) on {0} : {1}", COOKIE_NAME, c.getValue()));        }          ec.invalidateSession();        return null;    }

UPDATE

Here is the code for the project: security-configuration-example

References

• HttpOnly
• Seven Security (Mis)Configurations in Java web.xml Files