Stack Overflow
Stack Overflow

Questions tagged [session-fixation]

Session Fixation is a security vulnerability which occurs after authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier. It gives an attacker the opportunity to steal authenticated sessions.

60 questions
2
votes
2 answers

Generate a new session Id

How to generate new session id with out extends HttpServlet class. Is it mandatory to extend HttpServlet class & Is it mandatory to genarate new session id with in doGet method public class LoginSupport extends ActionSupport { public void…
Mapa
  • 61
  • 1
  • 2
  • 12
2
votes
2 answers

Can HttpOnly flag prevent session fixation attack?

I have a need to preserve session id after login. My session id cookie is marked as HttpOnly. Is such setup absolutely secure? Is there any possibility for an attacker to to perform session fixation attack if my session cookie is HttpOnly?
Victor Dombrovsky
  • 2,955
  • 3
  • 21
  • 33
2
votes
2 answers

changeSessionIdOnAuthentication in WebSphere 8.5?

Our security team ran a scan that tells us that we're vulnerable to session fixation and the docs tells us that in tomcat we should use the changeSessionIdOnAuthentication setting in context.xml. What would be the equivalent move in WebSphere 8.5?
Entropy
  • 1,219
  • 6
  • 21
  • 45
2
votes
1 answer

How to change the value of JSESSIONID after user login in liftweb?

I am trying to prevent Session Fixation vulnerability by changing the JSESSIONID after user logs in. I am using a SessionVar to store the user data, and S.session.open_!.destroySessionAndContinueInNewSession to invalidate the old session and create…
Winston Chen
  • 6,799
  • 12
  • 52
  • 81
2
votes
1 answer

Removing JSESSIONID in URL without using Filter and Wrapper

I have created a Filter listening on an url-pattern of /* which replaces the HttpServletRequest with a HttpServletRequestWrapper implementation. I have a Servlet and in this Servlet am using h:graphicImage to render images fetching from Apache web…
Vikas V
  • 3,176
  • 2
  • 37
  • 60
1
vote
0 answers

Enabling sessionManagement.sessionFixation for Spring Security original Extension

My team has a spring boot web application. We have recently added SAML support to a service our company provides to clients. We developed a solution based on the spring-security-saml 1.0.6 extension. One of our clients performed a review and…
Darren Davis
  • 11
  • 3
1
vote
0 answers

How to prevent session fixation with a Keycloak Spring Security setup?

We use keycloak as our identity and access provider that is connected with spring security by keycloak's spring security adapter. We realized that the session id does not change when a user logs in the application which is an open door for session…
frumentum
  • 105
  • 6
1
vote
2 answers

PHP Sessions - checking pevious IP on every page load - To do, or alternatives?

Right now I have this implemented in my Dev environment: I store the $SERVER['REMOTE_ADDR'] as a session variable upon login, then recheck the page every page load for the same IP address. The more I read, I see that many people don't like this…
Shackrock
  • 4,601
  • 10
  • 48
  • 74
1
vote
1 answer

csrf token per request in vaadin

I'm new to vaadin and I want to implement a csrf token protection , I found that vaadin already inject csrf token in requests but the problem is that the csrf token is the same in each request , is their any configuration in vaadin to generate new…
Haneen Jabr
  • 11
  • 1
1
vote
1 answer

Update cookie after authentication

Ours is a web application. The security team has suggested us to change cookie upon every escalation in the authorization. Accordingly, I wanted to update the client side cookie after authentication. And I used the below code: …
NutsAndBolts
  • 341
  • 3
  • 13
1
vote
2 answers

Expected CSRF token not found. Has your session expired?

I have research in SE about this issues and not found the answer to resolve the problem occur. From my problem of view, every time I logout the session in web and open the new tab, this error always trigger . I think the session management not…
FreezY
  • 1,641
  • 2
  • 18
  • 31
1
vote
1 answer

resolving session fixation bug fix in resin app server

I am using resin app server request.getSession.invalidate();reguest.getSession(true) is not working properly and its not resetting session ID while using Resin. Also I am not able to use request.changeSessionId() as the resin version is not able to…
dreambigcoder
  • 1,859
  • 4
  • 22
  • 32
1
vote
1 answer

Veracode CWE 384 Session Fixation

I'm fixing flaws found by veracode static scan and I found several flaws session fixation like these: request.getSession().get/set Attribute( ); OWASP said I should invalidate session after logout and login but there's no login around these lines.…
Jose Miguel
  • 355
  • 2
  • 6
  • 18
1
vote
2 answers

If I don't send session ID by url do I need to cycle my session id on login

I've heard that my site can get attacked by hackers who: Go to my site to start a session. Somehow get a client to go to my site with the same session ID The client logs in When the attacker comes back to my site with the session id he has full…
Tolure
  • 859
  • 1
  • 14
  • 34
1
vote
2 answers

session fixation in Joomla 2.5

Impact that this can cause: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user. And…
alisha.sen
  • 15
  • 5
1
2
3 4