HttpServletRequest.getRequestedSessionId method should not be used

Klocwork reports a SV.IL.SESSION.CLIENT defect when the HttpServletRequest.getRequestedSessionId() method is used.

Vulnerability and risk

According to the Oracle Java API, the HttpServletRequest.getRequestedSessionId() method, "Returns the session ID specified by the client. This may not be the same as the ID of the current valid session for this request. If the client did not specify a session ID, this method returns null."

The session ID the method returns is either transmitted in a cookie or a URL parameter so by definition, nothing prevents the end-user from manually updating the value of this session ID in the HTTP request.

Here is an example of a updated HTTP header:

GET /pageSomeWhere HTTP/1.1
User-Agent: Mozilla/5.0
Cookie: JSESSIONID=Hacked_Session_Value'''">

Because the end-user can manually change the value, the session ID in the request should only be used by a servlet container (for example, Tomcat or Jetty) to see if the value matches the ID of an existing session. If the session ID doesn't match, the user should be considered unauthenticated.

Mitigation and prevention

Do not use the HttpServletRequest.getRequestedSessionId method. Instead, generate a fresh session ID when a user logs in.

Vulnerable code example 1

import javax.servlet.http.*;
import javax.servlet.*;
class Test{
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         String id = request.getRequestedSessionId();
         if(authenticate(id)) {

Klocwork reports an SV.IL.SESSION.CLIENT defect on line 8, indicating, "Session id provided by client can manually be changed which updates this value in HttpRequest."

Security training

Application security training materials provided by Secure Code Warrior.