Any suggestions on how to session proof a website?

Question

This might be a very odd question, but some hints or guidelines will be very helpful. We want to "session proof" our web site, basically make sure that two different sessions generate the same link structure (e.g. Both user-a and user-b will get the same links in the same web page).

The reason behind this test, is that our web site is generated by a content management solution that will generate different links(URLs) for each different session. That CMS (which is internally built) was fixed to return the same links across sessions.

The other situation with session proofing, is that our caching mechanism (SQUID) is giving TCP_MISSes all the time to our website, which makes us think that the complete site is marked dynamic and the caching server is having to reget all objects all the time.

Answer 1

Are you trying to verify that two different users do in fact see the same structure? One way would be to use something like wget to crawl the whole web site from two different IP addresses, and then compare the resulting trees.

Answer 2

This is what we do at amplafi.com

(h/t See http://randomcoder.com/articles/jsessionid-considered-harmful ) in the web.xml:

<filter>
    <filter-name>DisableSessionIdsInUrlFilter</filter-name>
    <filter-class>
        com.amplafi.web.servlet.DisableSessionIdsInUrlFilter
    </filter-class>
</filter>


<filter-mapping>
    <filter-name>DisableSessionIdsInUrlFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

And this java code:

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import javax.servlet.http.HttpSession;

/**
 * remove any session id from the Url.
 *
 *
 * Ideally we would like to only remove this container-provided functionality
 * only for public portions of the web site (that can be crawled by google)
 * or for links that are to be bookmarked.
 *
 * @author Patrick Moore
 */
public class DisableSessionIdsInUrlFilter implements Filter {
    @Override
    public void destroy() {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        if (!(request instanceof HttpServletRequest)) {
            chain.doFilter(request, response);
            return;
        }

        HttpServletRequest httpRequest = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse) response;
        /*
         * Next, let's invalidate any sessions that are backed by a URL-encoded
         * session id. This prevents an attacker from generating a valid link.
         * Just because we won't be generating session-encoded links doesn't
         * mean someone else won't try
         */
        if (httpRequest.isRequestedSessionIdFromURL()) {
            HttpSession session = httpRequest.getSession();
            if (session != null) {
                session.invalidate();
            }
        }
        HttpServletResponseWrapper wrappedResponse = new ResponseWrapper(httpResponse);
        chain.doFilter(request, wrappedResponse);
    }

    @Override
    @SuppressWarnings("unused")
    public void init(FilterConfig arg0) throws ServletException {
    }

    /**
     * wraps response and prevense jsessionid from being encoded on the output.
     */
    private static class ResponseWrapper extends HttpServletResponseWrapper {

        ResponseWrapper(HttpServletResponse httpResponse) {
            super(httpResponse);
        }
        @Override
        public String encodeRedirectUrl(String uri) {
            return uri;
        }

        @Override
        public String encodeRedirectURL(String uri) {
            return uri;
        }

        @Override
        public String encodeUrl(String uri) {
            return uri;
        }

        @Override
        public String encodeURL(String uri) {
            return uri;
        }
    }
}

Answer 3

If every page in your site has a different link then caching would definitely be broken for the site.

Are you asking how to verify that the links are the same per session? Or are you asking how to ensure that links are the same per session?

For the former simply browsing from two different browsers and user logins should be sufficient.

As for ensuring the links are the same per session well... That would depend on your implementation which you indicated was inhouse.

Answer 4

You could write a test in Java using selenium. Add the assertions for the data you expect. Then you could loop over a list of multiple logins to see the test passes for each.

Selenium is pretty easy to get started in and tests can be written in many languages.

See here for details:

http://seleniumhq.org/projects/remote-control/

An example test would be something like this (pseudocode):

    public void setUp() throws Exception {
            setUp("http://mywebsite.com", "*chrome"); // to run the test in opera replace chrome with opera
        }

        public void testLoginWithMultipleUsers() {
          for(loop over users) {
            runLogin(user)
          }
        }

        public void runLogin(User user) throws Exception {
            selenium.open("/login.htm");
            assertTrue(selenium.isTextPresent("Link1"));
            assertTrue(selenium.isTextPresent("2003-2008"));
            selenium.open("/account");
            assertTrue(selenium.isTextPresent("2003-2008"));
            selenium.waitForPageToLoad("30000");
etc...

Selenium provides lots of methods to check if links and other page elements are present and the test can even be recorded in the browser - give it a try!

Answer 5

Why are your URLs different? Are you storing session IDs in them?

If you are, you should probably move that to a cookie!

Answer 6

You could try using a Load test suite like Pureload to simulate multiple users hitting your site. Pureload can have multiple concurrent simulated users each make the same request and confirm that the results are as expected. Depending on how dynamic your results are this may help you test your bug.