[jboss-user] [JBoss Seam] - sessionId cookie: man-in-the-middle attack
fguerzoni
do-not-reply at jboss.com
Sun May 27 02:07:56 EDT 2007
I noticed that sessionId cookie sent to client before authentication remains the same even after login succedeed. This could lead to a man-in-the-middle attack because pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server side forcing a pre-login session invalidation and a new session creation (request.getSession(true)) as soon as client authenticates. Old session data should then be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
regards
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4048883#4048883
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4048883
More information about the jboss-user
mailing list