on 11-29-2016 7:33 AM
Hybris Version : 6.1
In our Hybris B2B project the security scans raised a concern regarding the same JSESSIONID before and after login (GUID is different though). This seems to be happening with the ASM module. In the project we have field agents who can place order for customer using the assisted service module.
I understand the hybris storefront has its own implementation for session fixation but doesn’t seem to get applied for ASM module.
<security:session-management session-authentication-strategy-ref="fixation"/>
<bean id="fixation" class="de.hybris.platform.servicelayer.security.spring.HybrisSessionFixationProtectionStrategy"/>
Can someone point on what we are missing or how to fix the same and if i am looking at the wrong location.
Appreciate your help
The session id doesn't change but the as you've noticed the GUID cookie does.
The GUID is stored in your session and is a secure only cookie. It is checked in the RequireHardLoginBeforeController
and if the value sent in the cookie doesn't match the one on the server in the session then you'll be redirected to the login page.
Even if someone has your JSESSIONID
value they can't impersonate you without the matching acceleratorSecureGUID
value.
This made more sense when you were browsing on an http connection and then switched to https for login. The JSESSIONID
could be captured by sniffing network traffic and the acceleratorSecureGUID
couldn't because it is only sent over https connections.
In reality for recent accelerators the entire site is served over https so there isn't an opportunity to sniff the JSESSIONID
either.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
5 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.