Skip to Content

ASM (Assisted Service Module) - Same JSESSIONID retained after login

Hybris Version : 6.1

In our Hybris B2B project the security scans raised a concern regarding the same JSESSIONID before and after login (GUID is different though). This seems to be happening with the ASM module. In the project we have field agents who can place order for customer using the assisted service module.

I understand the hybris storefront has its own implementation for session fixation but doesn’t seem to get applied for ASM module.

 <security:session-management session-authentication-strategy-ref="fixation"/>
 <bean id="fixation" class=""/>

Can someone point on what we are missing or how to fix the same and if i am looking at the wrong location.

Appreciate your help

Add a comment
10|10000 characters needed characters exceeded

Related questions

1 Answer

  • Posted on Dec 01, 2016 at 11:03 AM

    The session id doesn't change but the as you've noticed the GUID cookie does.

    The GUID is stored in your session and is a secure only cookie. It is checked in the RequireHardLoginBeforeController and if the value sent in the cookie doesn't match the one on the server in the session then you'll be redirected to the login page.

    Even if someone has your JSESSIONID value they can't impersonate you without the matching acceleratorSecureGUID value.

    This made more sense when you were browsing on an http connection and then switched to https for login. The JSESSIONID could be captured by sniffing network traffic and the acceleratorSecureGUID couldn't because it is only sent over https connections.

    In reality for recent accelerators the entire site is served over https so there isn't an opportunity to sniff the JSESSIONID either.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.