[
http://jira.jboss.com/jira/browse/JBSEAM-1361?page=comments#action_12364175 ]
Christian Bauer commented on JBSEAM-1361:
-----------------------------------------
I'm still not sure how that prevents me from stealing the new session in just the same
way, with an XSS attack. Doesn't matter if traffic is encrypted or not, if there is an
XSS hole I get the new identifier.
A new session would however defeat pure man-in-the-middle, attacker listening to the wire.
But this isn't the primary vector.
If we assume that the session identifier has been hijacked with a man-in-the-middle
attack, we need to also assume that the session data is invalid. So I say don't copy
it into the new session after scheme change.
invalidate session after scheme change
--------------------------------------
Key: JBSEAM-1361
URL:
http://jira.jboss.com/jira/browse/JBSEAM-1361
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 1.2.1.GA
Environment: general feature
Reporter: fguerzoni
Assigned To: Gavin King
Fix For: 1.3.0.ALPHA
I noticed that sessionId cookie sent to client before authentication remains the same
even after login succedeed. This could lead to a man-in-the-middle attack because
pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server
side forcing a pre-login session invalidation and a new session creation
(request.getSession(true)) as soon as client authenticates. Old session data should then
be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket
during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession
is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira