This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Session Fixation in Java

From OWASP

Revision as of 09:54, 8 March 2007 by Stephendv (talk | contribs) (→‎Countermeasures)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

Overview of Session Fixation

A detailed overview on session fixation can be found here: Session Fixation

Countermeasures

Session ID should be regenerated after login, and switching in and out of SSL

(Comment: Could expand on why this is important)

 session.invalidate();
 session=request.getSession(true);

Disable URL rewriting

(Comment: How does one do this in the popular web containers?, and what threat does this mitigate?)

Retrieved from "https://wiki.owasp.org/index.php?title=Session_Fixation_in_Java&oldid=17083"