Hi all, sure I follow that procedure in the future.
On Tue, Jun 21, 2016 at 7:21 PM, Prabath Siriwardana <prab...@wso2.com> wrote: > Hi Chiranga, > > On Tue, Jun 21, 2016 at 6:02 AM, Chiranga Alwis <chira...@wso2.com> wrote: > >> Hi all, >> >> during the code review held last Friday, there was a discussion on >> session fixation. >> >> I performed a minor research on session fixation and checked out on >> measures taken by Tomcat internally to prevent such attacks. From what I >> have discovered it seems that Tomcat provides session fixation protection >> when a user authenticates his/her session by changing the session id. In my >> understanding this occurs during user authentication provided by Apache >> Tomcat. More details on this can be found from this >> <http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection> >> article. >> >> When I checked the Tomcat source code further, I discovered that when it >> generates a session, it attempts to reuse the session id if one was >> submitted in a cookie, it does not reuse a session id if it is from a URL >> and uses the SSL session id if one is present. >> > > This issue is already fixed sometime back - and you can find all the > patches we have issued from wso2.com/security. > > Also if you report any security concerns in the future please report it to > secur...@wso2.com. > > Thanks & regards, > -Prabath > > >> >> This suggests that we may not have to consider a session id set in a URL. >> Hence, which further vulnerabilities exist within our system in relation >> with session fixation? >> >> -- >> Chiranga Alwis, >> Software Engineering Intern, >> +94 77 5930497 >> +94 77 6368208 >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://facilelogin.com > -- Chiranga Alwis, Software Engineering Intern, +94 77 5930497 +94 77 6368208
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
