Package org.opennms.web.security

Class JSessionIdNoCacheFilter

  • All Implemented Interfaces:
    javax.servlet.Filter
    public class JSessionIdNoCacheFilter
extends java.lang.Object
implements javax.servlet.Filter
    Sets the header "cache-control: no-cache" if the response contains the jsessionid. This is done for security reasons; Web servers use session cookies to identify the active user sessions. Disclosing these session cookies to an attacker can result in a session hijacking attack. With this in mind, session cookies should be treated as sensitive data and should be well protected. With a secure cache-control policy in place, session cookies are typically stored in the browser memory instead of flushed to the hard drive. When a browsing session is terminated, the corresponding session cookies are deleted from the client machine. However, session cookies can also be kept in a cached web page. For example, when a user login in a web site, the returned web page may contain session cookies in the “set-cookie” response headers. If the “cache-control” header in this page is defined as “public”, all proxy servers and gateways between the client and server are allowed to cache this page. Thus, the risk of exposing these sensitive session cookies to an attacker is significantly increased. It’s recommended to change the cache-control header to secure values, e.g., no-cache. Similar to a password, if an attacker steals the session cookies that represent a valid user session, they can then use them to masquerade as victim users and access their personal data. If a victim user has administrative privileges, then the security of entire web site is at risk.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void destroy()  
      void doFilter​(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain filterChain)  
      void init​(javax.servlet.FilterConfig filterConfig)  

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • JSessionIdNoCacheFilter

        public JSessionIdNoCacheFilter()

    • Method Detail

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain filterChain)
              throws java.io.IOException,
                     javax.servlet.ServletException
        Specified by:
        doFilter in interface javax.servlet.Filter
        Throws:
        java.io.IOException
        javax.servlet.ServletException

      • destroy

        public void destroy()
        Specified by:
        destroy in interface javax.servlet.Filter

      • init

        public void init​(javax.servlet.FilterConfig filterConfig)
        Specified by:
        init in interface javax.servlet.Filter