[jboss-jira] [JBoss JIRA] (WFLY-5663) Default authentication behavior vulnerable to session fixation attacks
Paul Ferraro (JIRA)
issues at jboss.org
Wed Nov 11 12:56:00 EST 2015
[ https://issues.jboss.org/browse/WFLY-5663?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Ferraro moved UNDERTOW-583 to WFLY-5663:
---------------------------------------------
Project: WildFly (was: Undertow)
Key: WFLY-5663 (was: UNDERTOW-583)
Component/s: Security
Web (Undertow)
(was: Core)
(was: Security)
Affects Version/s: 10.0.0.CR4
(was: 1.3.4.Final)
> Default authentication behavior vulnerable to session fixation attacks
> ----------------------------------------------------------------------
>
> Key: WFLY-5663
> URL: https://issues.jboss.org/browse/WFLY-5663
> Project: WildFly
> Issue Type: Bug
> Components: Security, Web (Undertow)
> Affects Versions: 10.0.0.CR4
> Reporter: Paul Ferraro
> Assignee: Stuart Douglas
> Priority: Critical
>
> See: https://www.owasp.org/index.php/Session_Fixation
> In JBossWeb, there was a system property to enable this behavior: org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH
> Undertow does not seem to have an equivalent. I don't see any reason not to always force a session ID change following successful authentication when HttpSession.isNew() returns false.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list