Hi Chiranga, On Tue, Jun 21, 2016 at 6:02 AM, Chiranga Alwis <chira...@wso2.com> wrote:
> Hi all, > > during the code review held last Friday, there was a discussion on session > fixation. > > I performed a minor research on session fixation and checked out on > measures taken by Tomcat internally to prevent such attacks. From what I > have discovered it seems that Tomcat provides session fixation protection > when a user authenticates his/her session by changing the session id. In my > understanding this occurs during user authentication provided by Apache > Tomcat. More details on this can be found from this > <http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection> > article. > > When I checked the Tomcat source code further, I discovered that when it > generates a session, it attempts to reuse the session id if one was > submitted in a cookie, it does not reuse a session id if it is from a URL > and uses the SSL session id if one is present. > This issue is already fixed sometime back - and you can find all the patches we have issued from wso2.com/security. Also if you report any security concerns in the future please report it to secur...@wso2.com. Thanks & regards, -Prabath > > This suggests that we may not have to consider a session id set in a URL. > Hence, which further vulnerabilities exist within our system in relation > with session fixation? > > -- > Chiranga Alwis, > Software Engineering Intern, > +94 77 5930497 > +94 77 6368208 > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://facilelogin.com
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev