Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-579

Default authentication behavior vulnerable to session fixation attacks

    Details

      Description

      See: https://www.owasp.org/index.php/Session_Fixation

      In JBossWeb, there was a system property to enable this behavior: org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH

      Undertow does not seem to have an equivalent. I don't see any reason not to always force a session ID change following successful authentication when HttpSession.isNew() returns false.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  swd847 Stuart Douglas
                  Reporter:
                  pferraro Paul Ferraro
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: