Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 10.0.0.CR5
Affects Version/s: 10.0.0.CR4
Component/s: Security, Web (Undertow)
Labels:
None

Forum Reference:
https://developer.jboss.org/thread/254629

See: https://www.owasp.org/index.php/Session_Fixation

In JBossWeb, there was a system property to enable this behavior: org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH

Undertow does not seem to have an equivalent. I don't see any reason not to always force a session ID change following successful authentication when HttpSession.isNew() returns false.

is caused by

UNDERTOW-579 Default authentication behavior vulnerable to session fixation attacks

Resolved

is cloned by

JBEAP-1878 Default authentication behavior vulnerable to session fixation attacks

Closed

is related to

WFLY-5711 FormAuthenticationWebFailoverTestCase fails against Undertow 1.3.6.Final

Closed

Assignee:: Stuart Douglas (Inactive)

Reporter:: Paul Ferraro

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2015/11/11 12:54 PM

Updated:: 2020/09/30 10:26 AM

Resolved:: 2015/12/08 12:25 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates