[jboss-jira] [JBoss JIRA] (AS7-5315) It's not possible to regenerate SessionID preventing Session Fixation attack

Vasilios Kyriakakis (JIRA) jira-events at lists.jboss.org
Wed Sep 5 09:26:32 EDT 2012 

    [ https://issues.jboss.org/browse/AS7-5315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12716058#comment-12716058 ] 

Vasilios Kyriakakis commented on AS7-5315:
------------------------------------------

It is possible and I'm not talking about trying to regenrate a session id. I know that is impossible. But from a security standpoint, if you are the CFO and open your browser and go to your company's financial app, before you login you decide to go for a coffee. All I have to do is come to your computer, pull the JSESSIONID hash value from your cookie, wait for you to log in and use that cookie to gain access to the app with your credentials. It is simple as that. If JBOSS would simply generate a new session id after authentication, session fixation would be not an issue.
                
> It's not possible to regenerate SessionID preventing Session Fixation attack
> ----------------------------------------------------------------------------
>
>                 Key: AS7-5315
>                 URL: https://issues.jboss.org/browse/AS7-5315
>             Project: Application Server 7
>          Issue Type: Feature Request
>          Components: Security, Web
>    Affects Versions: 7.1.1.Final
>         Environment: JBoss 7.1.1.Final, JAAS, Windows 7
>            Reporter: Endrigo Antonini
>            Assignee: Jean-Frederic Clere
>              Labels: JAAS, Security, Session, SessionFixation, SessionHijack
>
> I tried to find a way so I can regenerate the Session ID.
> The server generate the "sessionId" when the user open the login page. After all the "authentication process" inside the secured system, the user still have the same "sessionId".
> This is a security problem. This allow a not good intended person to hijack the user session consequently giving all permission to this person that the hijacked session has.
> The link bellow show an possible way to fix that inside the program. The problem is that this code doesn't work on JBoss.
> https://www.owasp.org/index.php/Session_Fixation_in_Java

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list