[jboss-jira] [JBoss JIRA] (AS7-5315) It's not possible to regenerate SessionID preventing Session Fixation attack

Endrigo Antonini (JIRA) jira-events at lists.jboss.org
Wed Sep 5 08:36:33 EDT 2012 

    [ https://issues.jboss.org/browse/AS7-5315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12716038#comment-12716038 ] 

Endrigo Antonini commented on AS7-5315:
---------------------------------------

So you are saying to use the "Disable URL rewriting" option. Is it possible on JBOSS? I made a search on the documentation and didn't found nothing. If you are saying that this is the solution, please tell me where is the documentation or how can i find it.
                
> It's not possible to regenerate SessionID preventing Session Fixation attack
> ----------------------------------------------------------------------------
>
>                 Key: AS7-5315
>                 URL: https://issues.jboss.org/browse/AS7-5315
>             Project: Application Server 7
>          Issue Type: Feature Request
>          Components: Security, Web
>    Affects Versions: 7.1.1.Final
>         Environment: JBoss 7.1.1.Final, JAAS, Windows 7
>            Reporter: Endrigo Antonini
>            Assignee: Jean-Frederic Clere
>              Labels: JAAS, Security, Session, SessionFixation, SessionHijack
>
> I tried to find a way so I can regenerate the Session ID.
> The server generate the "sessionId" when the user open the login page. After all the "authentication process" inside the secured system, the user still have the same "sessionId".
> This is a security problem. This allow a not good intended person to hijack the user session consequently giving all permission to this person that the hijacked session has.
> The link bellow show an possible way to fix that inside the program. The problem is that this code doesn't work on JBoss.
> https://www.owasp.org/index.php/Session_Fixation_in_Java

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list