[jboss-jira] [JBoss JIRA] (WFLY-3642) Make length of session id configurable

[Jan Dittberner (JIRA)]

    [ https://issues.jboss.org/browse/WFLY-3642?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13079120#comment-13079120 ] 

Jan Dittberner commented on WFLY-3642:
--------------------------------------

This is an issue that came from an OWASP-Test for one of our web frontend applications. There is a corresponding article in the OWASP wiki https://www.owasp.org/index.php/Insufficient_Session-ID_Length.

Our customer has a requirement of 160 Bits of session id lengths defined by the security department. 18 characters of base64 encoded data does not provide sufficient length to fulfill this required length.

{code:python}>>> 64**18 < 2**128
True{code}

> Make length of session id configurable
> --------------------------------------
>
>                 Key: WFLY-3642
>                 URL: https://issues.jboss.org/browse/WFLY-3642
>             Project: WildFly
>          Issue Type: Feature Request
>          Components: Web (Undertow)
>    Affects Versions: 8.1.0.Final, 8.2.0.Final
>         Environment: any
>            Reporter: Jan Dittberner
>            Priority: Minor
>
> At the moment the session ids generated by WildFly/Undertow are of a fixed length of 18 characters. The used [SecureRandomSessionIdGenerator|https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/session/SecureRandomSessionIdGenerator.java] allows for setting a custom length but this capability is not used in WildFly yet.
> It would be nice to have this capability in the [web subsystem configuration|https://docs.jboss.org/author/display/WFLY8/Undertow+(web)+subsystem+configuration].



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)