[Forgot Password]
Login  Register Subscribe












Paid content will be excluded from the download.

Download | Alert*
view XML

J2EE Misconfiguration: Insufficient Session-ID Length

ID: 6Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Variant


The J2EE application is configured to use an insufficient session ID length.

Extended Description

If an attacker can guess or steal a session ID, then he/she may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.

Enabling Factors for Exploitation
If attackers use a botnet with hundreds or thousands of drone computers, it is reasonable to assume that they could attempt tens of thousands of guesses per second. If the web site in question is large and popular, a high volume of guessing might go unnoticed for some time.

Applicable Platforms
Language: Java

Time Of Introduction

  • Architecture and Design
  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Gain privileges / assume identity
If an attacker can guess an authenticated user's session identifier, they can take over the user's session.

Detection Methods

Potential Mitigations

 Session identifiers should be at least 128 bits long to prevent brute-force session guessing. A shorter session identifier leaves the application open to brute-force session guessing attacks.
 A lower bound on the number of valid session identifiers that are available to be guessed is the number of users that are active on a site at any given moment. However, any users that abandon their sessions without logging out will increase this number. (This is one of many good reasons to have a short inactive session timeout.) With a 64 bit session identifier, assume 32 bits of entropy. For a large web site, assume that the attacker can try 1,000 guesses per second and that there are 10,000 valid session identifiers at any given moment. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is less than 4 minutes. Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, an attacker might try 10,000 guesses per second with 100,000 valid session identifiers available to be guessed. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is greater than 292 years.


Related CWETypeViewChain
CWE-6 ChildOf CWE-895 Category CWE-888  

Demonstrative Examples   (Details)

  1. The following XML example code is a deployment descriptor for a Java web application deployed on a Sun Java Application Server. This deployment descriptor includes a session configuration property for configuring the session ID length. (Demonstrative Example Id DX-47)

White Box Definitions

Black Box Definitions

Taxynomy Mappings

7 Pernicious Kingdoms  J2EE Misconfiguration: Insufficient Session-ID Length


  1. ..

© SecPod Technologies