[jboss-jira] [JBoss JIRA] (AS7-5315) It's not possible to regenerate SessionID preventing Session Fixation attack
Endrigo Antonini (JIRA)
jira-events at lists.jboss.org
Mon Aug 6 17:31:07 EDT 2012
Endrigo Antonini created AS7-5315:
-------------------------------------
Summary: It's not possible to regenerate SessionID preventing Session Fixation attack
Key: AS7-5315
URL: https://issues.jboss.org/browse/AS7-5315
Project: Application Server 7
Issue Type: Feature Request
Components: Security, Web
Affects Versions: 7.1.1.Final
Environment: JBoss 7.1.1.Final, JAAS, Windows 7
Reporter: Endrigo Antonini
Assignee: Anil Saldhana
I tried to find a way so I can regenerate the Session ID.
The server generate the "sessionId" when the user open the login page. After all the "authentication process" inside the secured system, the user still have the same "sessionId".
This is a security problem. This allow a not good intended person to hijack the user session consequently giving all permission to this person that the hijacked session has.
The link bellow show an possible way to fix that inside the program. The problem is that this code doesn't work on JBoss.
https://www.owasp.org/index.php/Session_Fixation_in_Java
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list