Skip to main content
Delphix

Troubleshooting Session Cookie JSESSIONID (KBA1835)

 

Troubleshooting JSESSIONID Cookie Persistent Before and After Login

The session cookie (JSESSIONID=<VALUE>) is persistent before and after login. This allows a theoretical attack where a non authenticated attacker can attempt to get a validated user to authenticate using the same known session ID, elevating the non validated user to an authenticated (logged in) user state.

Theoretically this allows a non-privileged user to obtain and use the session ID of a valid user to login, impersonating the valid session ID rather than the attacker’s own ID. Post login, the attacker’s session ID is considered valid for a user logged in, giving them the privilege as the regular user.

Resolution

On successful authentication, change the sessionId on request. For CLI, update the PAM module to save the new sessionId from the response.

Best practice would be for the application server to destroy the old session on a successful login and generate a new Session ID on successful authentication.

The example illustrated provides the API guidance to establish a session.

To establish a new session:
$ curl -s -X POST -k --data @- http://delphix-server/resources/json/delphix/session \
   -c ~/cookies.txt -H "Content-Type: application/json" <<EOF
{
   "type": "APISession",
   "version": {
       "type": "APIVersion",
       "major": 1,
       "minor": 4,
       "micro": 3
   }
}
EOF
{
   "status":"OK",
   "result": {
       "type":"APISession",
       "version": {
           "type": "APIVersion",
           "major": 1,
           "minor": 4,
           "micro": 3
       },
       "locale": "en_US",
       "client": null
   },
   "job": null
}

You can authenticate to the server by executing LoginRequest API. Unauthenticated sessions will be prohibited from making API calls. The following example shows logging in via curl using cookies when the session is established:


$ curl -s -X POST -k --data @- http://delphix-server/resources/json/delphix/login \
   -b ~/cookies.txt -c ~/cookies.txt -H "Content-Type: application/json" <<EOF
{
   "type": "LoginRequest",
   "username": "delphix_username",
   "password": "delphix_password"
}
EOF

 

Note

Note:

The login API currently only supports authentication by password.

 

Applicable Delphix Versions

This article applies to the following versions of the Delphix Engine:

Major Release

Sub Releases

5.3 5.3.1, 5.3.2, 5.3.3