[jboss-jira] [JBoss JIRA] (WFLY-5663) Default authentication behavior vulnerable to session fixation attacks
Stuart Douglas (JIRA)
issues at jboss.org
Tue Dec 8 00:26:00 EST 2015
[ https://issues.jboss.org/browse/WFLY-5663?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stuart Douglas resolved WFLY-5663.
----------------------------------
Fix Version/s: 10.0.0.CR5
Resolution: Done
> Default authentication behavior vulnerable to session fixation attacks
> ----------------------------------------------------------------------
>
> Key: WFLY-5663
> URL: https://issues.jboss.org/browse/WFLY-5663
> Project: WildFly
> Issue Type: Bug
> Components: Security, Web (Undertow)
> Affects Versions: 10.0.0.CR4
> Reporter: Paul Ferraro
> Assignee: Stuart Douglas
> Priority: Critical
> Fix For: 10.0.0.CR5
>
>
> See: https://www.owasp.org/index.php/Session_Fixation
> In JBossWeb, there was a system property to enable this behavior: org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH
> Undertow does not seem to have an equivalent. I don't see any reason not to always force a session ID change following successful authentication when HttpSession.isNew() returns false.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list