This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Session Fixation in Java"
From OWASP
(→Countermeasures) |
|||
| Line 1: | Line 1: | ||
| + | == Status == | ||
| + | This article is in DRAFT | ||
| + | |||
==Overview of Session Fixation== | ==Overview of Session Fixation== | ||
Revision as of 07:42, 12 October 2007
Status
This article is in DRAFT
Overview of Session Fixation
A detailed overview on session fixation can be found here: Session Fixation
Countermeasures
- Session ID should be regenerated after login, and switching in and out of SSL
(Comment: Could expand on why this is important)
session.invalidate(); session=request.getSession(true);
- Disable URL rewriting
(Comment: How does one do this in the popular web containers?, and what threat does this mitigate?)
