I want to build a stateless web application using Java Servlets. Because it’s stateless, there is no HttpSession. There is a session in the browser, but each request might be handled by a different node in the cluster. The session identifier stored in the browser is generated and encrypted by the server, so it’s very hard for someone to craft a valid fake session ID and bypass login.
Recently I found a vulnerability in this architecture: if a malicious (infected) browser sends the session identifier to a bandit, the session can be easily hijacked. I can’t regenerate session identifier at each request because there is no session at the server to track the expected request sequence, and that would also complicate handling of asynchronous requests.
My solution so far is to get some HTTPS session identifier and include it on the encrypted session ID that is stored in the browser. Can a standard servlet get such information from HTTPS connection?
Another option would be using HttpSession just for getId(), but that would work only if such ID is tied to HTTPS session, which I couldn’t find in servlet specification.
Other suggestions are welcome.
The servlet container populates the SSL session ID in a HttpServletRequest attribute, to be used by downstream components. The attribute name happens to be
javax.servlet.request.ssl_session_id. To my knowledge, this is available in all containers implementing the Servlet Specification 3.0. Prior to Servlet Spec 3.0, this was available in limited containers – Tomcat and Jetty, if I’m not mistaken.Be forewarned though, that the SSL session ID is considered more secure than the container generated HTTP session cookie value. Leaking the SSL session ID would render even your HTTPS connections insecure.