Krishnaveer
Reputation: 53
Spring security, JSESSIONID copy issue
I am using spring security(Forms authentication) to authenticate incoming user. We logged-in with genuine userid and password. Now i just copied JSESSIONID from browser and created new Http request from android and passed same JSESSIONID to spring service. Request got authorized from android as well.
This means anyone can breach security once he got proper JSESSIONID.
How we can avoid this situation in spring security?
Upvotes: 3
Views: 430
Answers (1)
Neil McGuigan
Reputation: 48256
This is not a real threat.
Your threat model is: User can authenticate and copy their own session ID to another machine they control.
A hacker cannot steal someone else's session ID. That's the important part.
Upvotes: 3
Related Questions
- What is difference between CrudRepository and JpaRepository interfaces in Spring Data JPA?
- What's the difference between @Component, @Repository & @Service annotations in Spring?
- How to configure CORS in a Spring Boot + Spring Security application?
- Why is it common to put CSRF prevention tokens in cookies?
- Unit testing with Spring Security
- How Spring Security Filter Chain works
- How does spring security maintain authentication information between request?
- Spring Security and Tomcat 8 JSessionId response mismatch
- Can spring security parse headers and verify authentication information?