Java

Java

Made by DeepSource

getRequestSessionId should not be used JAVA-S1063

Security
Critical
a07 a04 cwe-287 sans top 25 owasp top 10 cwe-807

The session ID returned by getRequestSessionId isn't necessarily the one belonging to the current user.

As per the Oracle Java Docs, getRequestSessionId returns the session ID that is specified by the client through cookies or URL parameters.

Since the client has full control over the session ID returned from getRequestedSessionId, a malicious attacker could easily gain unauthorized access to someone else's account if they supply an active session ID that belongs to someone else.

Bad Practice

public Response handleRequest(HttpServletRequest request) {
    val sessionID = request.getRequestedSessionId();
    // Do something that requires authorization using the sessionID.
    doAuthorizedTask(sessionID);

    // ...rest of the code
}

Recommended

Do not use user supplied session IDs for authorization purposes. Store it in the server or a database and query it as required.

References

  • OWASP Top Ten (2021) - Category A04 - Insecure Design
  • OWASP Top Ten (2021) - Category A07 - Identification and Authentication Failures
  • CWE-807 - Reliance on Untrusted Inputs in a Security Decision
  • CWE-287 - Improper Authentication