[teiid-issues] [JBoss JIRA] Closed: (TEIID-329) Change sessionid to something non-guessable
Steven Hawkins (JIRA)
jira-events at lists.jboss.org
Mon Apr 6 12:57:22 EDT 2009
[ https://jira.jboss.org/jira/browse/TEIID-329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Steven Hawkins closed TEIID-329.
--------------------------------
Resolution: Done
changed back to a long session identifier. SessionToken is responsible for holding the session secret. also ensured that session tokens were not leaked to the clients in any other way than logonresult.
> Change sessionid to something non-guessable
> -------------------------------------------
>
> Key: TEIID-329
> URL: https://jira.jboss.org/jira/browse/TEIID-329
> Project: Teiid
> Issue Type: Task
> Components: Server
> Affects Versions: 6.0.0
> Reporter: Steven Hawkins
> Assignee: Steven Hawkins
> Fix For: 6.1.0
>
> Original Estimate: 1 day
> Remaining Estimate: 1 day
>
> Currently the sessionid is based upon a long sequence. It is extremely easy to exploit and then hijack a session. Sessionids should instead be based upon something that is hard to guess (such as a UUID) and should also be encrypted when being returned to the server or resent from the client.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the teiid-issues
mailing list