This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Session Fixation in Java

Revision as of 18:28, 27 May 2009 by MediaWiki spam cleanup (talk | contribs) (Reverting to last version not containing links to

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


This article is in DRAFT

Overview of Session Fixation

A detailed overview on session fixation can be found here: Session Fixation


  • Session ID should be regenerated after login, and switching in and out of SSL

Comment: Please note that JBOSS has proven to NOT regenerate a new session id via this method as of December 2007.

  • Disable URL rewriting

Comment: What threat does this mitigate?
Answer: Disabling of URL rewriting mitigates Session Hijacking/Session Sniffing via session id's being exposed in a GET parameter of your url's (as well as being stored in your browser history, proxy servers, etc). See Session hijacking attack