[jboss-jira] [JBoss JIRA] (AS7-5315) It's not possible to regenerate SessionID preventing Session Fixation attack
Jean-Frederic Clere (JIRA)
issues at jboss.org
Wed Feb 18 02:09:49 EST 2015
[ https://issues.jboss.org/browse/AS7-5315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13041167#comment-13041167 ]
Jean-Frederic Clere commented on AS7-5315:
------------------------------------------
org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH="true" will automatically change the SessionID on login (since EAP6).
> It's not possible to regenerate SessionID preventing Session Fixation attack
> ----------------------------------------------------------------------------
>
> Key: AS7-5315
> URL: https://issues.jboss.org/browse/AS7-5315
> Project: Application Server 7
> Issue Type: Feature Request
> Components: Security, Web
> Affects Versions: 7.1.1.Final
> Environment: JBoss 7.1.1.Final, JAAS, Windows 7
> Reporter: Endrigo Antonini
> Assignee: Jean-Frederic Clere
> Labels: JAAS, Security, Session, SessionFixation, SessionHijack
>
> I tried to find a way so I can regenerate the Session ID.
> The server generate the "sessionId" when the user open the login page. After all the "authentication process" inside the secured system, the user still have the same "sessionId".
> This is a security problem. This allow a not good intended person to hijack the user session consequently giving all permission to this person that the hijacked session has.
> The link bellow show an possible way to fix that inside the program. The problem is that this code doesn't work on JBoss.
> https://www.owasp.org/index.php/Session_Fixation_in_Java
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
More information about the jboss-jira
mailing list