Troubleshooting Session Cookie JSESSIONID (KBA1835)
Troubleshooting JSESSIONID Cookie Persistent Before and After Login
The session cookie (JSESSIONID=<VALUE>) is persistent before and after login. This allows a theoretical attack where a non authenticated attacker can attempt to get a validated user to authenticate using the same known session ID, elevating the non validated user to an authenticated (logged in) user state.
Theoretically this allows a non-privileged user to obtain and use the session ID of a valid user to login, impersonating the valid session ID rather than the attacker’s own ID. Post login, the attacker’s session ID is considered valid for a user logged in, giving them the privilege as the regular user.
Resolution
On successful authentication, change the sessionId on request. For CLI, update the PAM module to save the new sessionId from the response.
Best practice would be for the application server to destroy the old session on a successful login and generate a new Session ID on successful authentication.
The example illustrated provides the API guidance to establish a session.
To establish a new session:
$ curl -s -X POST -k --data @- http://delphix-server/resources/json/delphix/session \ -c ~/cookies.txt -H "Content-Type: application/json" <<EOF { "type": "APISession", "version": { "type": "APIVersion", "major": 1, "minor": 4, "micro": 3 } } EOF { "status":"OK", "result": { "type":"APISession", "version": { "type": "APIVersion", "major": 1, "minor": 4, "micro": 3 }, "locale": "en_US", "client": null }, "job": null }
You can authenticate to the server by executing LoginRequest
API. Unauthenticated sessions will be prohibited from making API calls. The following example shows logging in via curl
using cookies when the session is established:
$ curl -s -X POST -k --data @- http://delphix-server/resources/json/delphix/login \ -b ~/cookies.txt -c ~/cookies.txt -H "Content-Type: application/json" <<EOF { "type": "LoginRequest", "username": "delphix_username", "password": "delphix_password" } EOF
Applicable Delphix Versions
This article applies to the following versions of the Delphix Engine:
Major Release |
Sub Releases |
5.3 | 5.3.1, 5.3.2, 5.3.3 |