https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #17 from Mark Thomas <ma...@apache.org> 2009-09-23 18:20:36 BST --- Actually, preventing the use of the session ID in the URL goes a long way to preventing session fixation as it blocks the most easily exploited attack vectors. There would remain an issue with cookies but that should be limited to 3rd party cookies which may not be an issue for many situations. You are correct that changing the session ID on authentication will resolve all session fixation attacks. However, changing the session ID may also cause application breakage. It may also cause internal breakage for things like session replication. There would need to be some very careful testing. Whilst each of these techniques can be achieved by web applications (some more easily than others), there is clearly some scope for adding options to Tomcat so the container handles this transparently. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
