[teiid-issues] [JBoss JIRA] Reopened: (TEIID-329) Change sessionid to something non-guessable
Steven Hawkins (JIRA)
jira-events at lists.jboss.org
Mon Apr 6 10:26:22 EDT 2009
[ https://jira.jboss.org/jira/browse/TEIID-329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Steven Hawkins reopened TEIID-329:
----------------------------------
It is not sufficient to just change the session identifier. Some attempt is needed to hide the session secret to ensure that sessions cannot easily be hijacked.
> Change sessionid to something non-guessable
> -------------------------------------------
>
> Key: TEIID-329
> URL: https://jira.jboss.org/jira/browse/TEIID-329
> Project: Teiid
> Issue Type: Task
> Components: Server
> Affects Versions: 6.0.0
> Reporter: Steven Hawkins
> Assignee: Steven Hawkins
> Fix For: 6.0.0
>
> Original Estimate: 1 day
> Remaining Estimate: 1 day
>
> Currently the sessionid is based upon a long sequence. It is extremely easy to exploit and then hijack a session. Sessionids should instead be based upon something that is hard to guess (such as a UUID) and should also be encrypted when being returned to the server or resent from the client.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the teiid-issues
mailing list