Hi all, during the code review held last Friday, there was a discussion on session fixation.
I performed a minor research on session fixation and checked out on measures taken by Tomcat internally to prevent such attacks. From what I have discovered it seems that Tomcat provides session fixation protection when a user authenticates his/her session by changing the session id. In my understanding this occurs during user authentication provided by Apache Tomcat. More details on this can be found from this <http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection> article. When I checked the Tomcat source code further, I discovered that when it generates a session, it attempts to reuse the session id if one was submitted in a cookie, it does not reuse a session id if it is from a URL and uses the SSL session id if one is present. This suggests that we may not have to consider a session id set in a URL. Hence, which further vulnerabilities exist within our system in relation with session fixation? -- Chiranga Alwis, Software Engineering Intern, +94 77 5930497 +94 77 6368208
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev