[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1361) sessionId cookie: man-in-the-middle attack

sessionId cookie: man-in-the-middle attack ------------------------------------------ Key: JBSEAM-1361 URL: http://jira.jboss.com/jira/browse/JBSEAM-1361 Project: JBoss Seam Issue Type: Feature Request Components: Security Affects Versions: 1.2.1.GA Environment: general feature Reporter: fguerzoni Assigned To: Shane Bryzak I noticed that sessionId cookie sent to client before authentication remains the same even after login succedeed. This could lead to a man-in-the-middle attack because pre-login sessionId could be easily sniffed. So, it would be very nice if it should be possible to do a session switching on server side forcing a pre-login session invalidation and a new session creation (request.getSession(true)) as soon as client authenticates. Old session data should then be copied to new session. In this case a new sessionId cookie will be sent to client: client will use this ticket during next requests. This mechanism collides with the actual Seam implementations where Lifecycle.endSession is called after a session.invalidate I think that Seam should automatically execute this task during the authentication phase.