[JBoss JIRA] (WFLY-3642) Make length of session id configurable

Monday, 15 June 2015

    [
https://issues.jboss.org/browse/WFLY-3642?page=com.atlassian.jira.plugin....
] 

Jan Dittberner commented on WFLY-3642:
--------------------------------------

This is an issue that came from an OWASP-Test for one of our web frontend applications.
There is a corresponding article in the OWASP wiki
https://www.owasp.org/index.php/Insufficient_Session-ID_Length.

Our customer has a requirement of 160 Bits of session id lengths defined by the security
department. 18 characters of base64 encoded data does not provide sufficient length to
fulfill this required length.

{code:python}>>> 64**18 < 2**128
True{code}

...
 Make length of session id configurable
 --------------------------------------

                 Key: WFLY-3642
                 URL: https://issues.jboss.org/browse/WFLY-3642
             Project: WildFly
          Issue Type: Feature Request
          Components: Web (Undertow)
    Affects Versions: 8.1.0.Final, 8.2.0.Final
         Environment: any
            Reporter: Jan Dittberner
            Priority: Minor

 At the moment the session ids generated by WildFly/Undertow are of a fixed length of 18
characters. The used
[SecureRandomSessionIdGenerator|https://github.com/undertow-io/undertow/bl...]
allows for setting a custom length but this capability is not used in WildFly yet.
 It would be nice to have this capability in the [web subsystem
configuration|https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+...].

--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006