[ https://issues.apache.org/jira/browse/SHIRO-170?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kalle Korhonen updated SHIRO-170: --------------------------------- Fix Version/s: (was: 1.1.0) 1.2.0 > Force New Session ID on Authentication > -------------------------------------- > > Key: SHIRO-170 > URL: https://issues.apache.org/jira/browse/SHIRO-170 > Project: Shiro > Issue Type: New Feature > Components: Authentication (log-in), Configuration > Affects Versions: 1.0.0 > Reporter: Jakob Külzer > Priority: Minor > Fix For: 1.2.0 > > > I am working on an application that has very high security standards. One of > the issues raised after a full audit of the app is that it might be > vulnerable for session fixation attacks. Shiro does not reset the Session ID > after successful authentication, which would prevent this type of attack. > IMHO this would add another level of security to Shiro beneficial for all > kinds of applications. > OWASP has a good page on session fixation attacks: > http://www.owasp.org/index.php/Session_fixation -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.