Default authentication behavior vulnerable to session fixation attacks ---------------------------------------------------------------------- Key: WFLY-5663 URL: https://issues.jboss.org/browse/WFLY-5663 Project: WildFly Issue Type: Bug Components: Security, Web (Undertow) Affects Versions: 10.0.0.CR4 Reporter: Paul Ferraro Assignee: Stuart Douglas Priority: Critical Fix For: 10.0.0.CR5 See: https://www.owasp.org/index.php/Session_Fixation In JBossWeb, there was a system property to enable this behavior: org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH Undertow does not seem to have an equivalent. I don't see any reason not to always force a session ID change following successful authentication when HttpSession.isNew() returns false.