Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make session fixation protection part of the spec #13

Closed
glassfishrobot opened this issue Oct 4, 2011 · 9 comments
Closed

Make session fixation protection part of the spec #13

glassfishrobot opened this issue Oct 4, 2011 · 9 comments

Comments

@glassfishrobot
Copy link

One of the options for providing protection against session fixation is to change the ID of a session on authentication. It would be good if something along the lines of a changeId() method could be added to the session interface to enable custom security solutions to do this easily. An associated event for sessions listeners would also be required.
@glassfishrobot
Copy link
Author

@glassfishrobot Commented
Reported by markt_asf

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
markt_asf said:
On a related note we may want to consider an option to control if this happens when using container provided authentication.

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
janbartel said:
Access will be needed to the current request, and also the current response in order to effectively change the session id.

So I propose we add the following to the HttpSession object:

public String changeId (HttpServletRequest request, HttpServletResponse response);

where the return value is the new sessionId.

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
gregwilkins said:
Note also that we have to consider shared session IDs with cross context dispatch.

If a server is working with cross context dispatch, then many contexts can have the same session ID pointing to different sessions. Changing the session ID on one context will have to change the session ID for all contexts (just as invalidating on one will invalidate on all).

cheers

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
@shingwaichan said:
Incremental fixes:
Committed revision 42.

Modified Paths:

trunk/servletcontext.fm
trunk/javaEE.fm
trunk/eod-pluggability.fm
trunk/status.fm
trunk/events.fm
trunk/requestobject.fm

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
@shingwaichan said:
Sending sessions.fm
Sending status.fm
Transmitting file data ..
Committed revision 44.

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
Marked as fixed on Tuesday, September 18th 2012, 5:08:46 pm

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
This issue was imported from java.net JIRA SERVLET_SPEC-13

@glassfishrobot
Copy link
Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@glassfishrobot