In 3.0.1, one can configure change session id on authentication in GlassFish
as mentioned in the blog:
http://blogs.sun.com/swchan/entry/change_session_id_on_authentication
In 3.1, it is turned on by default.
Shing Wai Chan
On 2/1/11 9:09 AM, derek_at_itracmedia.com wrote:
> I am using the built in container managed security in glassfish 3.0.1
>
> I recently applied to Sales Force to become a partner, and upon
> completion of their security review, this is one of the things they
> mentioned that needs to be fixed for me to pass the security review.
>
>
> "Session ID not updated [AppScan Report] - To prevent customer sessions
> and cookies from being stolen or manipulated, a new session should be
> generated upon each successful login."
>
>
> Can anyone provide some insight as to what the problem could be? I
> assume this is all managed by glassfish?
>
>
> Chers,
> Derek
>