This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Session Fixation in Java"
From OWASP
(New page: ==Overview of Session Fixation== A detailed overview on session fixation can be found here: Session Fixation ==Countermeasures== * Session ID should be regenerated after login, and ...) |
(→Countermeasures) |
||
| Line 6: | Line 6: | ||
* Session ID should be regenerated after login, and switching in and out of SSL | * Session ID should be regenerated after login, and switching in and out of SSL | ||
| + | |||
| + | (Comment: Could expand on why this is important) | ||
session.invalidate(); | session.invalidate(); | ||
| Line 11: | Line 13: | ||
* Disable URL rewriting | * Disable URL rewriting | ||
| + | |||
| + | (Comment: How does one do this in the popular web containers?, and what threat does this mitigate?) | ||
Revision as of 09:54, 8 March 2007
Overview of Session Fixation
A detailed overview on session fixation can be found here: Session Fixation
Countermeasures
- Session ID should be regenerated after login, and switching in and out of SSL
(Comment: Could expand on why this is important)
session.invalidate(); session=request.getSession(true);
- Disable URL rewriting
(Comment: How does one do this in the popular web containers?, and what threat does this mitigate?)
