I'm doing some vulnerability check on Liferay by using Burpsuite. Through burpsuite, i changed the Get: request and the cookie
Cookie: JSESSIONID=8415D05C1E66F72CE8803607B6FEC26B.node1; COOKIE_SUPPORT=true; USER_UUID="2n3duSU0cr8TgknmHzm8ghmRUS2LVJfx6zmuvGFspuY="; GUEST_LANGUAGE_ID=en_US; LFR_SESSION_STATE_2983586=1431672874448; COMPANY_ID=10154; ID=79307664464f436b414f657133626843444f577a65773d3d;
from one user to another. The page then loads as if the user is the other user which i copied the request from.
I tried checking for current user using ThemeDisplay, serviceContext.getUserId, request.getRemoteUser, but am unable to get the Real User before i "hacked" changes in the request.
How am I able to get the real user if the request parameters and coookies get altered?
Best How To :
If you (rightfully) can't trust the network connection between server and browser, just switch to https - problem solved. Whatever public information is exchanged can be faked in addition to the session cookie. If you only communicate on an encrypted channel, you'll need to have the attacker on the server or on the client machine. And all bets are off then anyway.
The session id cookie is http's way to communicate state between the browser and the server in an otherwise stateless protocol. If that can be spoofed, no other means of (also public) information can replace this pseudo-random number - so you'll need to keep it private.
Check this article and this Liferay App by yours truly on the issues of https as well as mixed mode (http/https). Spoiler alert: Mixed mode typically does not work. At least it doesn't solve the problem you expect it to solve.