You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Jan Bernhardt (JIRA)" <ji...@apache.org> on 2016/02/03 15:04:39 UTC

[jira] [Created] (FEDIZ-152) Disable URL rewrites with SessionID to avoid session hijacking

Jan Bernhardt created FEDIZ-152:
-----------------------------------

             Summary: Disable URL rewrites with SessionID to avoid session hijacking
                 Key: FEDIZ-152
                 URL: https://issues.apache.org/jira/browse/FEDIZ-152
             Project: CXF-Fediz
          Issue Type: Improvement
          Components: IDP, OIDC
            Reporter: Jan Bernhardt
            Assignee: Jan Bernhardt
             Fix For: 1.3.0


if Cookies are disabled within the Browser the servlet container (like Tomcat) will usually switch to URL rewriting, by adding the JSessionID to the URL.
This is dangerous because users tend to copy URLs from their browser and post them in chat or public forums, thus allowing someone else to hijack their session.

Therefor it is best practice to ensure that a sessionID will not be included within the URL.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)