3

I'm working on a web application with spring mvc. I put profile data about my users in a session variable.

    for( AdminProfil ap : admin.getAdminProfils()){
        
        if(ap.getProfil().getNomProfil().equals("root")){
            session.setAttribute( "root", true );
        }
        else if(ap.getProfil().getNomProfil().equals("saisie")){
            session.setAttribute( "saisie", true );
        }
        else if(ap.getProfil().getNomProfil().equals("controle")){
            session.setAttribute( "controle", true );
        }
        else if(ap.getProfil().getNomProfil().equals("validation")){
            session.setAttribute( "validation", true );
        }
        
    }

and in my jsp page :

                <c:if test="${ sessionScope['saisie']  }">
                    ......
                </c:if>
  1. I want to know if the session variable can be modified by one of my users or someone else who wants to hack my web application?
  2. If the session can be modified what other solution can I use to stop a user from changing their profile?
  3. Is it okay to use a session variable in my case or are cookies better?
Llamax
  • 313
  • 2
  • 13
Hayi
  • 6,972
  • 26
  • 80
  • 139
  • 1
    https://www.owasp.org/index.php/Session_hijacking_attack and https://www.owasp.org/index.php/Session_Management_Cheat_Sheet – kosa Apr 13 '15 at 20:02
  • 1
    Dupe of this? http://stackoverflow.com/questions/3798532/can-session-value-be-hacked (And that's got one flaw mentioned - if you send something to someone else's computer, that computer can pretty much do what it wants with the data you sent - including ignoring a cookie timeout...) – Andrew Henle Apr 13 '15 at 20:04
  • 1
    If your question is "can a user modify the data stored in the session", the answer is no. The session is stored in the server, and its content is not sent to the client. Only a session ID is sent to the client, in a cookie. – JB Nizet Apr 13 '15 at 20:08
  • thanks but what about the third point in my question ? storing data in session is better than cookies in my case ? – Hayi Apr 13 '15 at 20:24
  • 1
    the thing about 3rd point is use and mis-use. If the user data is small enouhg it's fine. If you pollute the session with loads of user-data including photos and videos, the tomcat can drop out with OOM. – injecteer Apr 13 '15 at 20:29

1 Answers1

3

I want to know if the session variable can be modified by one of my users or someone else who want to hack my web application ?

No, session variables cannot be modified by one of your users or someone else

However, if you're not careful, browsers can be tricked into using the wrong session cookie, and session cookies can be stolen:

  • Set the httpOnly flag on your session cookie
  • Change the user's session id after they sign in to avoid session fixation
  • Use HTTPS and set the secure flag on your session cookie to avoid session hijacking
  • Protect your site against XSS and XSRF with a WAF like modsecurity

I'd recommend using Spring Security 4 instead of rolling your own system though.

It's okey to use session variable in my case or the cookies are better ?

Yes it's okay. No cookies are not better, as cookies can be modified by a user or someone else.

Neil McGuigan
  • 46,580
  • 12
  • 123
  • 152
  • 1
    I would like to second the advice to not use your own implementation of a security layer. It is hard enough for highly skilled and trained professionals to do it properly. Furthermore, you need good skills in doing penetration tests to make *sure* an implementation is done correctly. Reading the OWASP testing guide is a good start – but still only a start. There's a difference between knowledge and skill. – Markus W Mahlberg Apr 30 '15 at 18:25