0

Actually I have a serious problem : I saw that somebody has accessed my site from japan while i had not given any login id and password to unauthorized users. I alloted userids and passwords to only authenticated users and i am tracking login, logout time and login and logout IP Addresses details when an authenticated user is logged in. But i found that in my database there is no login time,login userid, login IP address but there is logout time, Logout IP address present in my database where userid is null. How is it possible??? A person from Japan has logged out from my site on 16:20:18 where as he has not logged in how?? Logout without Login?

Need help from experts Please

My web application is of jsp, servlets,java classes and oracle 10g : I have given the following protection: 

 1. CSRF Protection 
 2. SQL Injection protection 
 3. XSS Protection 
 4. No Broken Authentication and session

Very soon i am going to put SSL.

Authentication servlet:

HttpSession session1 = request.getSession(false);
     PrintWriter out = response.getWriter();
      try{
   if(request.getMethod().equalsIgnoreCase("POST")){
String user="";
String timenow="";
String strQuery="";
String today="";
String tour="";
try{
String useridfinal = (String)request.getParameter("userid");
    String userpassfinal = (String)request.getParameter("userpassword");
         Pattern p10 = Pattern.compile("[A-Z0-9a-z]+");// XSS checking
Matcher m10 = p10.matcher(useridfinal);
boolean b10 = m10.matches();
Pattern p11 = Pattern.compile("[A-Z!_,.a-z0-9]+");// XSS checking
Matcher m11 = p11.matcher(userpassfinal);
boolean b11 = m11.matches();
if(useridfinal == null || b10==false){
session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
response.sendRedirect("login.jsp");
        }
else if(userpassfinal == null || b11==false){
session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
response.sendRedirect("login.jsp");
}
else{
try {
  dbconnection db= new dbconnection();
 db.getConnection();
PreparedStatement ps=null;
     PreparedStatement ps2=null;
 ResultSet  rs=null;
ResultSet  rs1=null;
String ipadd="";
     try {
ipadd= request.getRemoteAddr();//tracking IP address
}
catch(Exception e) {
}
               SimpleDateFormat sdfDate = new SimpleDateFormat("dd-MM-yy HH:mm:ss");         
Date now = new Date();
String strDate = sdfDate.format(now);
    if(request.getParameter("userid")!=null &&
        (request.getParameter("userid") == null ? "" != null : !request.getParameter("userid").equals("")) && request.getParameter("userpassword")!=null &&
        (request.getParameter("userpassword") == null ? "" != null : !request.getParameter("userpassword").equals("")))
    {
 if ( session1 != null) {
               session1.invalidate(); }
 session1 = request.getSession(true);
    String s=(String)useridfinal;
       MessageDigest m=MessageDigest.getInstance("MD5");
       m.update(s.getBytes(),0,s.length());
       String encuseridfinal=(new BigInteger(1,m.digest()).toString(16));
      String s1=(String)userpassfinal;
       MessageDigest m1=MessageDigest.getInstance("MD5");
       m1.update(s1.getBytes(),0,s1.length());
       String encuserpassfinal=(new BigInteger(1,m1.digest()).toString(16));
ps= db.con.prepareStatement("select * from login where loginid=? and  loginpass=? ");
ps.setString(1, useridfinal);
ps.setString(2, encuserpassfinal);// encrypted userpassword
     try {
      rs=ps.executeQuery();
       } catch (SQLException ex) { 
        }
      int count=0;
      while(rs.next())
      {
 count++;
try {
  //Initialize SecureRandom
  //This is a lengthy operation, to be done only upon
  //initialization of the application
  SecureRandom prng = SecureRandom.getInstance("SHA1PRNG");
  //generate a random number
  String randomNum = new Integer( prng.nextInt() ).toString();
  //get its digest
  MessageDigest sha = MessageDigest.getInstance("SHA-1");
  byte[] result =  sha.digest( randomNum.getBytes() );
String csrf="";

csrf=hexEncode(result);
                try{
Calendar calendar = new GregorianCalendar();
int hour = calendar.get(Calendar.HOUR_OF_DAY);
int minute = calendar.get(Calendar.MINUTE);
int second = calendar.get(Calendar.SECOND);
today=(+hour+":"+minute+":"+second +"");
Date date = new Date();
SimpleDateFormat sdf = null;
String strDate1 = "";
sdf = new SimpleDateFormat("dd-MM-yy");
strDate1 = sdf.format(date);
tour=strDate1+" "+today;
               try{
           ps2 = db.con.prepareStatement("insert into logindetails (login_id, login_dt, login_ipaddress) values (?, to_date(?, 'DD-MM-YY hh24:mi:ss'),?) ");
               }
               catch(Exception e){
               }
ps2.setString(1, useridfinal);
try{
ps2.setString(2, tour);
}
catch(Exception e){}
try{
ps2.setString(3, ipadd);
}
catch(Exception e){}
try {
 rs1=ps2.executeQuery();
}
catch(SQLException ex){
}
 rs1.close();
 ps2.close();
  } 
               catch(Exception e){
               }
         session1.setAttribute("useridfinal", useridfinal);
      session1.setAttribute("csrftoken", csrf); //csrf token generation      
    response.sendRedirect("home.jsp");
  session1.setAttribute("authenticated", true);  
}
catch(Exception e){}
 }
 try{
       rs.close();
       }
       catch(Exception e){}
       try{
       ps.close();
       }
       catch(Exception e){}
     try{
    db.removeConnection();
     }
 catch(Exception e){}
      if(count==0)
      {
 session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
 response.sendRedirect("login.jsp");
      }
    }
    else {   
 session1.setAttribute("errorlogin", "Invalid Login ID or userpassword");
 response.sendRedirect("login.jsp");
}
  } catch (Exception e) {
  }
 }
} catch (Exception e) {
      out.println("please try later");
  }
   }
else{
response.sendRedirect("login.jsp");
}
    } catch (Exception e) {
   response.sendRedirect("login.jsp");
   }
processRequest(request, response);
}
function() {// For generating secure token
return token;
}

Signout Code

<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title>JSP Page</title>
    <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META NAME="ROBOTS" CONTENT="NONE"> 
<META NAME="GOOGLEBOT" CONTENT="NOARCHIVE">
</head>
<body>
     <%
String user="";
HttpSession session1 = request.getSession(false);
if(session1.getAttribute("useridfinal")!=null &&
session1.getAttribute("useridfinal")!="")
{
user = session1.getAttribute("useridfinal").toString();
}
    String today="";
String tour="";
dbconnection db= new dbconnection();
db.getConnection();
PreparedStatement ps=null;
     PreparedStatement ps2=null;
ResultSet  rs=null;
ResultSet  rs1=null;
try{
Calendar calendar = new GregorianCalendar();
int hour = calendar.get(Calendar.HOUR_OF_DAY);
int minute = calendar.get(Calendar.MINUTE);
int second = calendar.get(Calendar.SECOND);
today=(+hour+":"+minute+":"+second +"");
Date date = new Date();
SimpleDateFormat sdf = null;
String strDate1 = "";
sdf = new SimpleDateFormat("dd-MM-yy");
strDate1 = sdf.format(date);
String useripadd="";
try {
useripadd= request.getRemoteAddr();
}
catch(Exception e) {
}
 tour=strDate1+" "+today;
               try{
           ps2 = db.con.prepareStatement("insert into logindetails 
(loginid,logoutdt,logoutipaddress) values (?,to_date(?, 'DD-MM-YY hh24:mi:ss'),?)");
               }
               catch(Exception e){
               }
ps2.setString(1, user);
try{
ps2.setString(2, tour);
}
catch(Exception e){          }
ps2.setString(3, useripadd);
try {
 rs1=ps2.executeQuery();
}
catch(SQLException ex){
out.println(ex);
}
 rs1.close();
 ps2.close();
db.removeConnection();
 }
               catch(Exception e){
               }
       String csrf="";
request.getSession(false).removeAttribute("useridfinal");
request.getSession(false).removeAttribute("csrftoken");
response.setHeader("Pragma","no-cache"); 
response.setHeader("Cache-Control","no-store"); 
response.setHeader("Expires","0"); 
response.setDateHeader("Expires",-1); 
session1.invalidate();
response.sendRedirect("login.jsp");
%>
</body>

From the IP address i knew that that the location is japan. I do not know how it happened. Any help please?????????

Tom
  • 761
  • 7
  • 22
  • 41
  • please help somebody....help needed from experts – Tom Jan 13 '12 at 08:16
  • Show us the code used to logout and trace this logout, and explain us when this code is invoked. – JB Nizet Jan 13 '12 at 08:28
  • ya i am posting the code by editing my question...i need your help at this moment... – Tom Jan 13 '12 at 09:29
  • when a user clicks signout then one record is being inserted which keeps track of loginid, logout time and logout ip address. I have posted my login and logout code....anyhelp is much appreciated – Tom Jan 13 '12 at 10:37

2 Answers2

1

It may be possible that the they may have used proxy for the login-logout and the user will be of your known person only and he may have access to your database and he want to do something wrong with your system so he login and done something wrong. And after that he may have removed his accesstime details.

Bhavik Ambani
  • 6,557
  • 14
  • 55
  • 86
  • How can he remove his accesstime details? How can he view my database? As far as known user is concerned NO known person is living in japan of my authenticated users. – Tom Jan 13 '12 at 10:40
  • You are right that no one is living Japan , but by using proxy of Japan IP they can manipulate your database. – Bhavik Ambani Jan 16 '12 at 06:29
1

Suppose your app is hosted at http://your.host.com/app, and suppose your logout JSP is named logout.jsp. If I just use my browser and type http://your.host.com/app/logout.jsp in the address bar and hit enter, you'll have a logout without login in your database. No need to crack anything.

Another possibility is that, since you ignore basically any exception that occurs, the login has succeeded but the insert into the database has failed. It's certainly that which happened, since to insert the login in database, you use executeQuery instead of using executeUpdate.

Your code is really, really, terrible. You should learn to indent code, use JDBC correctly, handle exceptions correctly, use transactions instead of autocommit, and close resultsets, statements and connections in finally blocks. And Java code in JSP is really bad practice.

Read tutorials, and NEVER do catch(Exception) {}.

JB Nizet
  • 678,734
  • 91
  • 1,224
  • 1,255
  • ...thanks for your help..ya i will close connection inside final block but i have written executeQuery because i am inserting record each time whenever user is logged out..i am not updating logout time. Should i write java code in Servlet only? i found this IP address: 150.70.64.198. Is not it from Japan? – Tom Jan 13 '12 at 11:06
  • Read tutorials. Learn. Practice. Read the javadoc. Start by reading the javadoc of executeUpdate. And also read http://stackoverflow.com/questions/3177733/how-to-avoid-java-code-in-jsp-files – JB Nizet Jan 13 '12 at 11:14
  • Ya you are right JB....typing url only..i got one record without login....how can i avoid it?????? – Tom Jan 13 '12 at 11:16
  • The logout page should only be accessible to logged in users. Protect it like you do for all the other pages that are only accessible to logged in users. – JB Nizet Jan 13 '12 at 11:17
  • Thanks JB....I salute you...it worked... Java Programmers like you are the gifted Programmers from God....I am saluting you again...:) – Tom Jan 13 '12 at 11:22