[jboss-user] [JBoss Seam] - sessionId cookie: man-in-the-middle attack

fguerzoni do-not-reply at jboss.com
Sun May 27 02:07:56 EDT 2007


I noticed that sessionId cookie sent to client before authentication remains the same even after login succedeed. This could lead to a man-in-the-middle attack because pre-login sessionId could be easily sniffed.

So, it would be very nice if it should be possible to do a session switching on server side forcing a pre-login session invalidation and a new session creation   (request.getSession(true)) as soon as client authenticates. Old session data should then be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket during next requests.

This mechanism collides with the actual Seam implementations where Lifecycle.endSession is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.

regards

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4048883#4048883

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4048883



More information about the jboss-user mailing list