Does the Play! framework have any built in mechanism to prevent session hijacking?

Question

I've read that the play framework solves the session fixation issue by hashing the session id with the application key, but does it provide any mechanism to prevent session hijacking, or is this left up to the implementor?

Answer 1

No, there is no built in way to prevent the hijacking of a session as soon as one is able to capture the session cookie (through sniffing/man in the middle). There are some ways to make it harder, e.g.:

• using only https
• setting application.session.httpOnly in application.conf

One approache to make it harder is: - store the ip/user-agent/resolution/other stuff or a hash of that also in the session.. in your controller you then check if the user that accesses your site still recreates the same hash... the only real problem is with people that are using a proxy that e.g. changes the ip on the fly because of clustering.

A little trick you could try to use: (works only in recent browsers) When a user logs in, store some stuff in a HTML5 local storage. Modify your Ajax calls to supply this information from the local storage. If the information is missing/invalid, you can invalidate the whole session. But you'll have to make sure, that the checks only get applied against requests from HTML5 browsers.

hope this helps a bit.

Answer 2

The play documentation has a good section on security, so rather than duplicate, here is a link - http://www.playframework.org/documentation/1.2.4/security.

It covers

• XSS
• SQL Injection
• Session security
• Cross site request forgery

Some you have to implement yourself, others you don't.

Your specific question about session hijacking is automatic.

The session is a hash of key/values, signed but not encrypted. That means that as long as your secret is safe, it is not possible for a third-party to forge sessions.