SV.SESSION.FIXATION.COOKIE

Cookies should not be vulnerable to session fixation

Klocwork reports an SV.SESSION.FIXATION.COOKIE defect when a tainted value is used to set the JSESSIONID cookie.

Vulnerability and risk

By using tainted data in cookies, attackers can set the session identifier to a known value that allows an attacker to share the session with the victim. Attackers can then gain unauthorized access to sensitive information.

Mitigation and prevention

Avoid using tainted data in JSESSIONID cookies.

Vulnerable code example

Copy
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.*;
import java.io.IOException;
 
public class Test {
 
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
        String value = req.getParameter("value");
        Cookie cookie = new Cookie("jsessionid", value);  // SV.SESSION.FIXATION.COOKIE
    }
}

Klocwork reports an SV.SESSION.FIXATION.COOKIE defect at line 9, because tainted data from the request is used to set the session ID in the cookie.

Fixed code example

Copy
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.*;
import java.io.IOException;
 
public class Test {
 
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
        SecureRandom secureRandom = SecureRandom.getInstance("NativePRNG");
        long value = secureRandom.nextLong();
        Cookie cookie = new Cookie("jsessionid", value);
    }
}

Klocwork no longer reports an SV.SESSION.FIXATION.COOKIE defect because the JSESSIONID cookie is set to a random value.

Related checkers

Security training

Application security training materials provided by Secure Code Warrior.