Session Fixation in Java

From OWASP

Revision as of 19:44, 5 March 2007 by Rohyt (talk | contribs) (New page: ==Overview of Session Fixation== A detailed overview on session fixation can be found here: Session Fixation ==Countermeasures== * Session ID should be regenerated after login, and ...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

Overview of Session Fixation

A detailed overview on session fixation can be found here: Session Fixation

Countermeasures

Session ID should be regenerated after login, and switching in and out of SSL

 session.invalidate();
 session=request.getSession(true);

Disable URL rewriting

Retrieved from "https://wiki.owasp.org/index.php?title=Session_Fixation_in_Java&oldid=16966"