[jboss-jira] [JBoss JIRA] (WFLY-5664) Default authentication behavior vulnerable to session fixation attacks
Paul Ferraro (JIRA)
issues at jboss.org
Wed Nov 11 12:56:00 EST 2015
Paul Ferraro created WFLY-5664:
----------------------------------
Summary: Default authentication behavior vulnerable to session fixation attacks
Key: WFLY-5664
URL: https://issues.jboss.org/browse/WFLY-5664
Project: WildFly
Issue Type: Bug
Components: Security, Web (Undertow)
Affects Versions: 10.0.0.CR4
Reporter: Paul Ferraro
Assignee: Stuart Douglas
Priority: Critical
See: https://www.owasp.org/index.php/Session_Fixation
In JBossWeb, there was a system property to enable this behavior: org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH
Undertow does not seem to have an equivalent. I don't see any reason not to always force a session ID change following successful authentication when HttpSession.isNew() returns false.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list