-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make session fixation protection part of the spec #13
Comments
@glassfishrobot Commented |
@glassfishrobot Commented |
@glassfishrobot Commented So I propose we add the following to the HttpSession object: public String changeId (HttpServletRequest request, HttpServletResponse response); where the return value is the new sessionId. |
@glassfishrobot Commented If a server is working with cross context dispatch, then many contexts can have the same session ID pointing to different sessions. Changing the session ID on one context will have to change the session ID for all contexts (just as invalidating on one will invalidate on all). cheers |
@glassfishrobot Commented Modified Paths:trunk/servletcontext.fm |
@glassfishrobot Commented |
@glassfishrobot Commented |
@glassfishrobot Commented |
|
One of the options for providing protection against session fixation is to change the ID of a session on authentication. It would be good if something along the lines of a changeId() method could be added to the session interface to enable custom security solutions to do this easily. An associated event for sessions listeners would also be required.
The text was updated successfully, but these errors were encountered: