CWE-6: J2EE Misconfiguration: Insufficient Session-ID Length

VariantIncomplete

The J2EE application is configured to use an insufficient session ID length.

View on MITRE
Back to CWE Lookup

Extended Description

If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.

Technical Details

Structure
Simple

Applicable To

Languages
Java
Platforms

Frequently Asked Questions

What is CWE-6: J2EE Misconfiguration: Insufficient Session-ID Length?+

CWE-6: J2EE Misconfiguration: Insufficient Session-ID Length is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The J2EE application is configured to use an insufficient session ID length. If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.

What are the security consequences of J2EE Misconfiguration: Insufficient Session-ID Length?+

If exploited, CWE-6 (J2EE Misconfiguration: Insufficient Session-ID Length) it can compromise Access Control, leading to outcomes such as Gain Privileges or Assume Identity.

How do you prevent or mitigate J2EE Misconfiguration: Insufficient Session-ID Length?+

Recommended mitigations for CWE-6 include: Session identifiers should be at least 128 bits long to prevent brute-force session guessing. A shorter session identifier leaves the application open to brute-force session guessing attacks. A lower bound on the number of valid session identifiers that are available to be guessed is the number of users that are active on a site at any given moment. However, any users that abandon their sessions without logging out will increase this number. (This is one of many good reasons to have a short inactive session timeout.) With a 64 bit session identifier, assume 32 bits of entropy. For a large web site, assume that the attacker can try 1,000 guesses per second and that there are 10,000 valid session identifiers at any given moment. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is less than 4 minutes. Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, an attacker might try 10,000 guesses per second with 100,000 valid session identifiers available to be guessed. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is greater than 292 years.

Which programming languages are affected by J2EE Misconfiguration: Insufficient Session-ID Length?+

CWE-6 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-6 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More

CWE-6: J2EE Misconfiguration: Insufficient Session-ID Length | CWE Lookup | InventiveHQ