[JBoss JIRA] Closed: (TEIID-329) Change sessionid to something non-guessable

Monday, 6 April 2009

     [
https://jira.jboss.org/jira/browse/TEIID-329?page=com.atlassian.jira.plug...
]

Steven Hawkins closed TEIID-329.
--------------------------------

    Resolution: Done

changed back to a long session identifier.  SessionToken is responsible for holding the
session secret.  also ensured that session tokens were not leaked to the clients in any
other way than logonresult.

...
 Change sessionid to something non-guessable
 -------------------------------------------

                 Key: TEIID-329
                 URL: https://jira.jboss.org/jira/browse/TEIID-329
             Project: Teiid
          Issue Type: Task
          Components: Server
    Affects Versions: 6.0.0
            Reporter: Steven Hawkins
            Assignee: Steven Hawkins
             Fix For: 6.1.0

   Original Estimate: 1 day
  Remaining Estimate: 1 day

 Currently the sessionid is based upon a long sequence.  It is extremely easy to exploit
and then hijack a session.  Sessionids should instead be based upon something that is hard
to guess (such as a UUID) and should also be encrypted when being returned to the server
or resent from the client. 
-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009