This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "Session Fixation in Java"

Jump to: navigation, search
Line 1: Line 1:
== Status ==
This article is in DRAFT
==Overview of Session Fixation==
==Overview of Session Fixation==

Revision as of 07:42, 12 October 2007


This article is in DRAFT

Overview of Session Fixation

A detailed overview on session fixation can be found here: Session Fixation


  • Session ID should be regenerated after login, and switching in and out of SSL

(Comment: Could expand on why this is important)

  • Disable URL rewriting
(Comment: How does one do this in the popular web containers?, and what threat does this mitigate?)