DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Java

Java

Made by DeepSource
Use Analyzer

getRequestSessionId should not be used JAVA-S1063

Security
Critical
 a07 a04 cwe-287 sans top 25 owasp top 10 cwe-807

The session ID returned by getRequestSessionId isn't necessarily the one belonging to the current user.

As per the Oracle Java Docs, getRequestSessionId returns the session ID that is specified by the client through cookies or URL parameters.

Since the client has full control over the session ID returned from getRequestedSessionId, a malicious attacker could easily gain unauthorized access to someone else's account if they supply an active session ID that belongs to someone else.

Bad Practice

public Response handleRequest(HttpServletRequest request) {
    val sessionID = request.getRequestedSessionId();
    // Do something that requires authorization using the sessionID.
    doAuthorizedTask(sessionID);

    // ...rest of the code
}

Recommended

Do not use user supplied session IDs for authorization purposes. Store it in the server or a database and query it as required.

References

  • OWASP Top Ten (2021) - Category A04 - Insecure Design
  • OWASP Top Ten (2021) - Category A07 - Identification and Authentication Failures
  • CWE-807 - Reliance on Untrusted Inputs in a Security Decision
  • CWE-287 - Improper Authentication