Uploaded image for project: 'Application Server 7'
  1. Application Server 7
  2. AS7-5315

It's not possible to regenerate SessionID preventing Session Fixation attack

    Details

      Description

      I tried to find a way so I can regenerate the Session ID.

      The server generate the "sessionId" when the user open the login page. After all the "authentication process" inside the secured system, the user still have the same "sessionId".

      This is a security problem. This allow a not good intended person to hijack the user session consequently giving all permission to this person that the hijacked session has.

      The link bellow show an possible way to fix that inside the program. The problem is that this code doesn't work on JBoss.
      https://www.owasp.org/index.php/Session_Fixation_in_Java

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                jfclere Jean-Frederic Clere
                Reporter:
                endrigoantonini Endrigo Antonini
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: