]
Jean-Frederic Clere commented on AS7-5315:
------------------------------------------
again read the description... (
It's not possible to regenerate SessionID preventing Session
Fixation attack
----------------------------------------------------------------------------
Key: AS7-5315
URL:
https://issues.jboss.org/browse/AS7-5315
Project: Application Server 7
Issue Type: Feature Request
Components: Security, Web
Affects Versions: 7.1.1.Final
Environment: JBoss 7.1.1.Final, JAAS, Windows 7
Reporter: Endrigo Antonini
Assignee: Jean-Frederic Clere
Labels: JAAS, Security, Session, SessionFixation, SessionHijack
I tried to find a way so I can regenerate the Session ID.
The server generate the "sessionId" when the user open the login page. After
all the "authentication process" inside the secured system, the user still have
the same "sessionId".
This is a security problem. This allow a not good intended person to hijack the user
session consequently giving all permission to this person that the hijacked session has.
The link bellow show an possible way to fix that inside the program. The problem is that
this code doesn't work on JBoss.
https://www.owasp.org/index.php/Session_Fixation_in_Java
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: