You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Jan Bernhardt (JIRA)" <ji...@apache.org> on 2016/02/03 15:04:39 UTC
[jira] [Created] (FEDIZ-152) Disable URL rewrites with SessionID to
avoid session hijacking
Jan Bernhardt created FEDIZ-152:
-----------------------------------
Summary: Disable URL rewrites with SessionID to avoid session hijacking
Key: FEDIZ-152
URL: https://issues.apache.org/jira/browse/FEDIZ-152
Project: CXF-Fediz
Issue Type: Improvement
Components: IDP, OIDC
Reporter: Jan Bernhardt
Assignee: Jan Bernhardt
Fix For: 1.3.0
if Cookies are disabled within the Browser the servlet container (like Tomcat) will usually switch to URL rewriting, by adding the JSessionID to the URL.
This is dangerous because users tend to copy URLs from their browser and post them in chat or public forums, thus allowing someone else to hijack their session.
Therefor it is best practice to ensure that a sessionID will not be included within the URL.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)