Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 7.0.0.ER2 (Beta)
Affects Version/s: 7.0.0.DR12
Component/s: Security, Undertow
Labels:
None

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Forum Reference:
https://developer.jboss.org/thread/254629
Target Release:

7.0.0.GA

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

See: https://www.owasp.org/index.php/Session_Fixation

In JBossWeb, there was a system property to enable this behavior: org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH

Undertow does not seem to have an equivalent. I don't see any reason not to always force a session ID change following successful authentication when HttpSession.isNew() returns false.

clones

WFLY-5663 Default authentication behavior vulnerable to session fixation attacks

Closed

Assignee:: Stuart Douglas (Inactive)

Reporter:: Paul Ferraro

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2015/11/11 12:55 PM

Updated:: 2016/06/14 7:38 AM

Resolved:: 2015/12/08 12:25 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates