You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Jan Bernhardt (JIRA)" <ji...@apache.org> on 2016/02/09 08:05:18 UTC
[jira] [Updated] (FEDIZ-152) Disable URL rewrites with SessionID to
avoid session hijacking
[ https://issues.apache.org/jira/browse/FEDIZ-152?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Bernhardt updated FEDIZ-152:
--------------------------------
Fix Version/s: 1.2.2
> Disable URL rewrites with SessionID to avoid session hijacking
> --------------------------------------------------------------
>
> Key: FEDIZ-152
> URL: https://issues.apache.org/jira/browse/FEDIZ-152
> Project: CXF-Fediz
> Issue Type: Improvement
> Components: IDP, OIDC
> Reporter: Jan Bernhardt
> Assignee: Jan Bernhardt
> Fix For: 1.3.0, 1.2.2
>
>
> if Cookies are disabled within the Browser the servlet container (like Tomcat) will usually switch to URL rewriting, by adding the JSessionID to the URL.
> This is dangerous because users tend to copy URLs from their browser and post them in chat or public forums, thus allowing someone else to hijack their session.
> Therefor it is best practice to ensure that a sessionID will not be included within the URL.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)