Our security team ran a scan that tells us that we're vulnerable to session fixation and the docs tells us that in tomcat we should use the changeSessionIdOnAuthentication setting in context.xml.
What would be the equivalent move in WebSphere 8.5?
Asked
Active
Viewed 1,073 times
2
-
Did they scan WebSphere or Tomcat? If you are using application security and session security integration (by default enabled in 8.5), you shouldn't be vulnerable. – Gas Apr 19 '16 at 14:01
-
@Gas They scan the application. It's some security program that yuo give the URL of your app, and it tries stuff and detects various vulnerabilities. Some of the results are B.S., but this was one of the legit ones. I can see Tomcat has this feature according to the internet, but am not sure about WAS, or where it would be in WAS. – Entropy Apr 20 '16 at 12:09
-
do we have any updates on this? – Fritz May 02 '18 at 07:56
2 Answers
0
I had the same issue with WAS 8.5. Ended up using spring security to configure the session fixation issue.
<security:session-management invalid-session-url="/login" session-authentication-error-url="/login" session-fixation-protection="newSession">
<security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1" expired-url="/login"/>
Bala
- 749
- 11
- 27
0
WebSphere 8.5 is using a servlet api version that is < 3.1, therefore you can't use changeSessionId() method of HttpServlet Request.
What you can do instead is, at the point where you are authenticating your user in your application, probably, attemptAuthentication() or similar methods, you can do:
HttpSession session = request.getSession(false);
if(session != null)
session.invalidate();
session = request.getSession();
The above provides protection against session fixation attack.
jumping_monkey
- 5,941
- 2
- 43
- 58