Change Session ID after authentication

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 6.1.25, 7.1.5, 8.0.0.M1
Fix Version/s: 6.1.26, 7.2.1
Component/s: None
Labels:
None

Number of attachments :
1

Description

Change session ID after authentication to prevent session hijacking.

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

JETTY-1281.diff

23/Sep/10 6:44 PM

32 kB

Greg Wilkins

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Greg Wilkins added a comment - 23/Sep/10 6:44 PM

work in progress.

Need to work out how to do this for BASIC and DIGEST, so the session ID only changes on the first time the session is authenticated.

Need to update test harnesses

Show

Greg Wilkins added a comment - 23/Sep/10 6:44 PM work in progress. Need to work out how to do this for BASIC and DIGEST, so the session ID only changes on the first time the session is authenticated. Need to update test harnesses

Hide

Permalink

Greg Wilkins added a comment - 27/Sep/10 8:44 AM

For now I have gone with a solution that recreates the entire session rather than silently change the ID. This means listeners will fire, but then they need to so that code that uses the session ID as an index can be updated

Show

Greg Wilkins added a comment - 27/Sep/10 8:44 AM For now I have gone with a solution that recreates the entire session rather than silently change the ID. This means listeners will fire, but then they need to so that code that uses the session ID as an index can be updated

People

Assignee:

Greg Wilkins

Reporter:

Greg Wilkins

Vote (0)

Watch (0)

Dates

Created:

23/Sep/10 4:46 PM

Updated:

27/Oct/10 11:05 PM

Resolved:

27/Oct/10 11:05 PM