Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client Window feature leaks session id in URLs #4189

Closed
ren-zhijun-oracle opened this issue Sep 14, 2016 · 6 comments
Closed

Client Window feature leaks session id in URLs #4189

ren-zhijun-oracle opened this issue Sep 14, 2016 · 6 comments
Assignees
@arjantijms
Labels
pre-2.3

Comments

@ren-zhijun-oracle
Copy link
Contributor

With Mojarra the client window identifier is passed along by the jfwid URL parameter between request. Currently the parameter has the format :.

Including the session id in full form in the URL should be avoided to prevent hijacking of the session when URLs are copied/pasted.

A fix could be to either identify the window only by its ID or replace the session id in the URL by a hash of the session id (if the session id still needs to be validated).

This is not a large security issue since it only happens when URLs are somehow copy and pasted and sent to a malicious 3rd party, but ideally it should be avoided.

Environment

2.2
@ren-zhijun-oracle
Copy link
Contributor Author

@javaserverfaces Commented
Reported by frederickkaempfer

@ren-zhijun-oracle
Copy link
Contributor Author

@javaserverfaces Commented
This issue was imported from java.net JIRA JAVASERVERFACES-4185

@ren-zhijun-oracle
Copy link
Contributor Author

@edburns Commented
Please see this important message regarding community contributions to
Mojarra.

https://javaee.groups.io/g/jsf-spec/message/30

Also, please consider joining that group, as that group has taken the
place of the old [email protected] mailing list.

Thanks,

Ed Burns

@ren-zhijun-oracle
Copy link
Contributor Author

@augustd
Copy link

augustd commented Apr 17, 2019

Confirming that this issue still exists. This is the exact line of code where the session ID gets appended:

https://github.com/eclipse-ee4j/mojarra/blob/master/impl/src/main/java/com/sun/faces/lifecycle/ClientWindowImpl.java#L69

    private String calculateClientWindow(FacesContext context) {
        synchronized(context.getExternalContext().getSession(true)) {
            final String clientWindowCounterKey = "com.sun.faces.lifecycle.ClientWindowCounterKey";
            ExternalContext extContext = context.getExternalContext();
            Map<String, Object> sessionAttrs = extContext.getSessionMap();
            Integer counter = (Integer) sessionAttrs.get(clientWindowCounterKey);
            if (null == counter) {
                counter = Integer.valueOf(0);
            }
            char sep = UINamingContainer.getSeparatorChar(context);
            id = extContext.getSessionId(true) + sep +
                    + counter;

            sessionAttrs.put(clientWindowCounterKey, ++counter);
        }
        return id;
    }

@arjantijms arjantijms self-assigned this Jul 28, 2019
@mnriem mnriem added the pre-2.3 label Nov 27, 2021
@mnriem
Copy link
Contributor

mnriem commented Jan 20, 2022

This issue was filed against a version that is not maintained by the Eclipse Mojarra project. Ask your vendor for a fix on this specific version. If this bug exists in the current version of Mojarra please open a new issue, add a reproducer using only core Mojarra and if you can create a PR fixing the issue

@mnriem mnriem closed this as completed Jan 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arjantijms arjantijms

Labels
pre-2.3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@augustd @arjantijms @mnriem @ren-zhijun-oracle