[jboss-jira] [JBoss JIRA] (AS7-5315) It's not possible to regenerate SessionID preventing Session Fixation attack

Endrigo Antonini (JIRA) jira-events at lists.jboss.org
Wed Sep 5 09:37:32 EDT 2012 

    [ https://issues.jboss.org/browse/AS7-5315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12716061#comment-12716061 ] 

Endrigo Antonini commented on AS7-5315:
---------------------------------------

That's the point Vasilios! The application that the team I work had developed didn't pass on the "penetration test" just because of it. They simulate the same way you described, but it wasn't the CFO, it was the SYSADMIN of the application. So imagine that the "hacker" would have access to ALL the options to the system.
                
> It's not possible to regenerate SessionID preventing Session Fixation attack
> ----------------------------------------------------------------------------
>
>                 Key: AS7-5315
>                 URL: https://issues.jboss.org/browse/AS7-5315
>             Project: Application Server 7
>          Issue Type: Feature Request
>          Components: Security, Web
>    Affects Versions: 7.1.1.Final
>         Environment: JBoss 7.1.1.Final, JAAS, Windows 7
>            Reporter: Endrigo Antonini
>            Assignee: Jean-Frederic Clere
>              Labels: JAAS, Security, Session, SessionFixation, SessionHijack
>
> I tried to find a way so I can regenerate the Session ID.
> The server generate the "sessionId" when the user open the login page. After all the "authentication process" inside the secured system, the user still have the same "sessionId".
> This is a security problem. This allow a not good intended person to hijack the user session consequently giving all permission to this person that the hijacked session has.
> The link bellow show an possible way to fix that inside the program. The problem is that this code doesn't work on JBoss.
> https://www.owasp.org/index.php/Session_Fixation_in_Java

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list