Issue: Session Fixation Prevention

Description:

If the application does not have the proper session ID management while logging in and logging out of the application, both session ID values are the same before and after login. An attacker can easily view the Logged-in page of this application by using the previous Logged-in Session ID.

Remediation:

The session ID can be changed in the ZIETrans application by following the steps below.

  1. Create a ZIETrans project.
  2. Identify the Login screen and create a customization
  3. Create a business logic for the Login page and place the below code in the execute method

    blInfo.getRequest().getSession().setAttribute(com.ibm.hats.web.runtime.WebConfig.ZIETRANS_CHANGE_ID, "true");

    blInfo.getRequest().getSession().setAttribute(com.ibm.hats.web.runtime.WebConfig.ZIETRANS_LOGIN_SCREEN, "true");

  4. Add the business logic as the first action in the action tab of the Login page's customization

  5. Identify the Landing screen (typically the next screen which appears after successful login) and create customization.

  6. Create a business logic for the Landing page and place the below code in the execute method.

    blInfo.getRequest().getSession().setAttribute(com.ibm.hats.web.runtime.WebConfig.ZIETRANS_CHANGE_ID, "true");

  7. Add the business logic as the first action in the action tab of the Landing page's customization
  8. Deploy and launch the ZIETrans application and log in to the host screen; the session ID should change after logging in and logging out.
Note:
  • You can register one more screen as a landing screen. If your application has any intermittent screen which appears as a landing screen, you can register that also as the landing screen along with the regular landing screen.
  • Suppose you have any login macro which automates the login. You can have the session reset (Login page business logic) at the connect event, so every time you make a new connection, the session gets reset.
  • When using login macro to automate login, the landing page of login macro has to be the same as the landing page selected in step 6 .