You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2009/09/23 18:47:28 UTC
DO NOT REPLY [Bug 45255] support disable jsessionid from url against
session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #16 from Rejeev Divakaran <re...@gmail.com> 2009-09-23 09:47:24 PDT ---
I think we have mis-understood Session fixation. disabling URL re-write will
not solve session fixation.
Please refer to http://www.owasp.org/index.php/Session_Fixation
and http://rejeev.blogspot.com/2009/09/session-fixation_08.html
The correct solution for Session fixation is to create new Session cookie each
time an authentication happens (discard old cookie and send new cookie to
client after authentication).
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org