tags:

views:

412

answers:

3
Q: 

How can I redirect to logon.jsp with unencrypted password in the HTTPSession?

I have a j2ee web app that is using JAAS form based authentication. However, due to some unusual requirements, I cannot have the user enter their username and password directly into the logon.jsp form and have them submit it. Instead, I must gather the data on a separate page, and then later redirect to logon.jsp to log them in.

What I am thinking of doing is storing the username/password unencrypted in the HTTPSession. When I am ready to authenticate, I use a response.redirect to route to logon.jsp. In logon.jsp, I take the username and password out of the Session, populate the standard 'j-security-check' form, and then use javascript to submit the form.

How much of a security hole is this? I'm uncomfortable routing the request to go to logon.jsp via the browser (thats what a redirect does) because someone might get access to the session, and therefore the unencrypted password. If I am using HTTPS / SSL, is this a likely situation? How would it be exploited?

I looked into invoking the login servlet directly in a JSP without using the form, but that doesn't seem to be a viable option, particularly because I lose my insulation from differing J2EE containers/application servers.

Anyone got any idea how I can limit this security hole? Would using forward as opposed to redirect be better, because it doesnt go back to the browser?

How bad is this?

A: 

It sounds like you're sending the password back to the user so that the user can re-submit the form to the real login.jsp. That sounds Battlefield Earth horrific to me. Assuming the user types in the password after he types in the username, can the password form not simply submit directly to the login handler?

Mr. Shiny and New  2009-05-22 14:34:24
Thanks for your response. The 'user' isnt resubmitting the form in that they dont click submit, but a javascript would automatically submit the logon.jsp form after i had populated it with the values taken from the session. So the browser is doing it. Is that what you meant? The password form cannot submit directly to the login handler, that is exactly where my problem lies.
Fintan  2009-05-22 14:41:35
You condemn the approach strongly. Can you describe the steps an attacker would take to exploit it?
erickson  2009-05-22 15:15:27
A: 

Oh god. First rule of password security is never transmit a password in plaintext, ever. If you're storing it in the session in plaintext, that means you're probably having the password sent from the user to your server in plaintext (unless you're using SSL which I strongly suggest). This means any packet sniffer can find the password. As for storing them in the session in plaintext, that means you're vulnerable to session hijacking.

In other words. It is horrific. Do not do this.

Malfist  2009-05-22 14:38:31
Storing a password in plaintext in the session does not imply that SSL is not used. That's an unwarranted assumption.
erickson  2009-05-22 14:49:09
Good point, I neglected to ask. However they're still vulnerable to session hijacking. I updated my answer to reflect your comment.
Malfist  2009-05-22 15:04:48
I'll use SSL, and the password will encrypted in the web tier before being sent to the server, and it'll be encrypted in the database (one direction with salt). The only time it is in plain text is when i have to route to logon.jsp (it has to be submitted in plain text, WELL, if, despite the SSL, this is as horrific as you think, encrypting it when redirecting is my only option, but this will lead to a real headache). How bad is the response.redirect with the plaintext password in the session if im using SSL? How would this be exploited?
Fintan  2009-05-22 15:09:02
+1  A: 

It seems that its very easy to describe this kind of practice as horrific, but a lot more difficult to explain why it is horrific, or how it might be exploited in a situation where SSL is used. We place our sensitive information in the hands of HTTPS / SSL all the time, I dont see how this is any different.

Best practice would be to avoid interactions with the browser when unnecessary. You have to manage the pay off between security and usibility, asses your applications requirements and sensitivity, and act accordingly.

In any eventuality, using a forward as opposed to a redirect will prevent the browser participation, as a forward is performed internally on the web tier.

Fintan  2009-05-25 15:19:53

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security