Java

Java

By DeepSource

getRequestSessionId should not be used JAVA-S1063

Security

The session ID returned by getRequestSessionId isn't necessarily the one belonging to the current user.

As per the Oracle Java Docs, getRequestSessionId returns the session ID that is specified by the client through cookies or URL parameters.

Since the client has full control over the session ID returned from getRequestedSessionId, a malicious attacker could easily gain unauthorized access to someone else's account if they supply an active session ID that belongs to someone else.

Bad Practice

public Response handleRequest(HttpServletRequest request) {
    val sessionID = request.getRequestedSessionId();
    // Do something that requires authorization using the sessionID.
    doAuthorizedTask(sessionID);

    // ...rest of the code
}

Recommended

Do not use user supplied session IDs for authorization purposes. Store it in the server or a database and query it as required.

References

  • OWASP Top Ten (2021) - Category A04 - Insecure Design
  • OWASP Top Ten (2021) - Category A07 - Identification and Authentication Failures
  • CWE-807 - Reliance on Untrusted Inputs in a Security Decision