[
https://issues.jboss.org/browse/AS7-5315?page=com.atlassian.jira.plugin.s...
]
Vasilios Kyriakakis commented on AS7-5315:
------------------------------------------
It is possible and I'm not talking about trying to regenrate a session id. I know that
is impossible. But from a security standpoint, if you are the CFO and open your browser
and go to your company's financial app, before you login you decide to go for a
coffee. All I have to do is come to your computer, pull the JSESSIONID hash value from
your cookie, wait for you to log in and use that cookie to gain access to the app with
your credentials. It is simple as that. If JBOSS would simply generate a new session id
after authentication, session fixation would be not an issue.
It's not possible to regenerate SessionID preventing Session
Fixation attack
----------------------------------------------------------------------------
Key: AS7-5315
URL:
https://issues.jboss.org/browse/AS7-5315
Project: Application Server 7
Issue Type: Feature Request
Components: Security, Web
Affects Versions: 7.1.1.Final
Environment: JBoss 7.1.1.Final, JAAS, Windows 7
Reporter: Endrigo Antonini
Assignee: Jean-Frederic Clere
Labels: JAAS, Security, Session, SessionFixation, SessionHijack
I tried to find a way so I can regenerate the Session ID.
The server generate the "sessionId" when the user open the login page. After
all the "authentication process" inside the secured system, the user still have
the same "sessionId".
This is a security problem. This allow a not good intended person to hijack the user
session consequently giving all permission to this person that the hijacked session has.
The link bellow show an possible way to fix that inside the program. The problem is that
this code doesn't work on JBoss.
https://www.owasp.org/index.php/Session_Fixation_in_Java
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:
http://www.atlassian.com/software/jira