Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 1.2.13.Final, 1.3.6.Final, 1.4.0.Beta1, 1.1.10.Final
Affects Version/s: 1.3.4.Final
Component/s: Core, Security
Labels:
None

Forum Reference:
https://developer.jboss.org/thread/254629

See: https://www.owasp.org/index.php/Session_Fixation

In JBossWeb, there was a system property to enable this behavior: org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH

Undertow does not seem to have an equivalent. I don't see any reason not to always force a session ID change following successful authentication when HttpSession.isNew() returns false.

causes

WFLY-5663 Default authentication behavior vulnerable to session fixation attacks

Closed

WFLY-5711 FormAuthenticationWebFailoverTestCase fails against Undertow 1.3.6.Final

Closed

Assignee:: Stuart Douglas (Inactive)

Reporter:: Paul Ferraro

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2015/11/09 2:06 PM

Updated:: 2020/09/30 10:26 AM

Resolved:: 2015/11/17 4:19 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates