Reputation: 9
can we avoid session hijacking using spring security?
We are using apache tomcat as a server for our Spring MVC based web application. If a user has been logged in from a browser let's say chrome, and we copied its JSESSIONID and pasted into another browser let's say Firefox, and then we are able to access the modules assigned to the particular user logged in from chrome to the one who is logged in from firefox.
How can we prevent such session hijacking by using spring security? or in general, which things we should code in order to get rid of session hijacking. Thanks!
Upvotes: 0
Views: 2740
Answers (2)
Reputation: 9
I did this to make it secure and HttpOnly and it worked. Implementation Procedure in Apache Tomcat: 1) Open the httpd.conf file. Find the following line using CTRL + f in your text editor:
#LoadModule headers_module modules/mod_headers.so
2) Remove the #
3) Add following entry in httpd.conf
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
4) Restart Apache HTTP server
Upvotes: 0
Reputation: 2264
I don't think having access to a user's browser with a logged in session qualifies as "session hijacking". You can mitigate the risk using the httpOnly and secure flag when setting the cookie, thus it cannot be read by JavaScript and will only be forwarded on a secured channel (HTTPS). Walking over to someone's computer and copying the cookie from one browser to another is a whole different topic that I don't think you can do much about with Spring Security.
Upvotes: 2
Related Questions
- How to make spring boot never issue session cookie?
- Session management using spring security
- How to prevent HTTP session flood attack
- How to manage session in Spring Boot with Spring Security?
- Session hijacking in Java Spring
- Spring Security session without using cookies
- Add a cookie during the Spring Security login
- spring security session not behaving as expected
- Security Session in spring. Stay logged in
- Using Spring Security Without Cookies