Package org.opennms.web.security
Class JSessionIdNoCacheFilter
- java.lang.Object
-
- org.opennms.web.security.JSessionIdNoCacheFilter
-
- All Implemented Interfaces:
javax.servlet.Filter
public class JSessionIdNoCacheFilter extends java.lang.Object implements javax.servlet.Filter
Sets the header "cache-control: no-cache" if the response contains the jsessionid. This is done for security reasons; Web servers use session cookies to identify the active user sessions. Disclosing these session cookies to an attacker can result in a session hijacking attack. With this in mind, session cookies should be treated as sensitive data and should be well protected. With a secure cache-control policy in place, session cookies are typically stored in the browser memory instead of flushed to the hard drive. When a browsing session is terminated, the corresponding session cookies are deleted from the client machine. However, session cookies can also be kept in a cached web page. For example, when a user login in a web site, the returned web page may contain session cookies in the “set-cookie” response headers. If the “cache-control” header in this page is defined as “public”, all proxy servers and gateways between the client and server are allowed to cache this page. Thus, the risk of exposing these sensitive session cookies to an attacker is significantly increased. It’s recommended to change the cache-control header to secure values, e.g., no-cache. Similar to a password, if an attacker steals the session cookies that represent a valid user session, they can then use them to masquerade as victim users and access their personal data. If a victim user has administrative privileges, then the security of entire web site is at risk.
-
-
Constructor Summary
Constructors Constructor Description JSessionIdNoCacheFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
destroy()
void
doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain filterChain)
void
init(javax.servlet.FilterConfig filterConfig)
-
-
-
Method Detail
-
doFilter
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain filterChain) throws java.io.IOException, javax.servlet.ServletException
- Specified by:
doFilter
in interfacejavax.servlet.Filter
- Throws:
java.io.IOException
javax.servlet.ServletException
-
destroy
public void destroy()
- Specified by:
destroy
in interfacejavax.servlet.Filter
-
init
public void init(javax.servlet.FilterConfig filterConfig)
- Specified by:
init
in interfacejavax.servlet.Filter
-
-