[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines

Martin Grigorov (JIRA) Wed, 19 Jul 2017 12:50:34 -0700

    [ 
https://issues.apache.org/jira/browse/WICKET-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16093687#comment-16093687
 ]


Martin Grigorov commented on WICKET-6416:
-----------------------------------------

Pull Requests are welcome!

> AuthenticatedWebSession doesn't follow OWASP guidelines
> -------------------------------------------------------
>
>                 Key: WICKET-6416
>                 URL: https://issues.apache.org/jira/browse/WICKET-6416
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>    Affects Versions: 8.0.0-M6
>            Reporter: Kamil
>            Priority: Minor
>
> As 
> [OWASP|https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)]
>  states, new JSESSIONID should always be created after successful 
> authentication.
> Currently AuthenticatedWebSession in "signIn" method calls "bind()" where 
> session is created only if
> {code}
> if (store.lookup(request) == null)
> {
>       // explicitly create a session
>       id = store.getSessionId(request, true);
>       // bind it
>       store.bind(request, this);
> }
> {code}
> which doesn't follow OWASP guidelines and causes security threat



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (WICKET-6416) AuthenticatedWebSession doesn't follow OWASP guidelines

Reply via email to