My Quotes


When U were born , you cried and the world rejoiced
Live U'r life in such a way that when you go
THE WORLD SHOULD CRY






Wednesday, June 25, 2014

Ethical Hack Insufficient Session Destruction

1. Create a HttpSessionBindingListener

import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;

public class MySessionListener implements HttpSessionListener {
 public void sessionCreated(HttpSessionEvent evt) {
  HttpSession session = evt.getSession();
  session.getServletContext().log(
    "CREATED Session ID: " + session.getId() + "\t time: "
      + new java.util.Date());
 }

 public void sessionDestroyed(HttpSessionEvent evt) {
  HttpSession session = evt.getSession();
  session.getServletContext().log(
    "DESTROYED Session ID: " + session.getId() + "\t time: "
      + new java.util.Date());
 }
}

2. Configure this Session Listener in your web.xml


         com.pearson.cat.web.session.MySessionListener
    

3.So all you can do is to copy the method invalidate()from the above code into the logout.jsp and wait and see if the Listener is spilling the messages that the Session has been destroyed or not.

public void invalidate() {
        if (this.session != null) {
            this.cleanAttributes();
            this.session.invalidate();
        }
    }

    public void cleanAttributes() {
       if (this.session != null) {
            Enumeration attributes = session.getAttributeNames();
            while (attributes.hasMoreElements()) {
                String name = (String) attributes.nextElement();
                session.removeAttribute(name);
            }
        }
    }

No comments :