1

I'm fixing flaws found by veracode static scan and I found several flaws session fixation like these:

  • request.getSession().get/set Attribute( );

OWASP said I should invalidate session after logout and login but there's no login around these lines. I don't understand why it is being detected this flaw in this lines. Could you help me to understand why this is happening and how to fix it?

Jose Miguel
  • 355
  • 2
  • 6
  • 18
  • I'm not sure you _can_ fix these. If you are using httpSession in an environment where the user is not being asked to login then the warning from the code scan are meaningless. – DaveH May 07 '15 at 09:09

1 Answers1

1

What OWASP said is right, you need to invalidate session at time of log out which is more of generic comment. As you have rightly mentioned there is no logging around these lines of code, I see you are trying to get the session to set and retrieve the values out of it.

Would be good if you post more code to understand it in a better way.

You can mark it as false positive in veracode (or provide fix as no fix and provide appropriate clarification for mitigation ) in case you are sure if it doesn't impact system much.

Amit K
  • 51
  • 5