Thank You for your reply!
This is the best news I have heard all week. When they did their review
I was running 3.0.1, but recently we upgraded to 3.1 due to a bug with
the resource loading in 3.0.1 (
http://java.net/jira/browse/GLASSFISH-15492)
Derek
On 11-02-01 02:17 PM, Shing Wai Chan wrote:
> In 3.0.1, one can configure change session id on authentication in
> GlassFish
> as mentioned in the blog:
> http://blogs.sun.com/swchan/entry/change_session_id_on_authentication
> In 3.1, it is turned on by default.
>
> Shing Wai Chan
>
> On 2/1/11 9:09 AM, derek_at_itracmedia.com wrote:
>> I am using the built in container managed security in glassfish 3.0.1
>>
>> I recently applied to Sales Force to become a partner, and upon
>> completion of their security review, this is one of the things they
>> mentioned that needs to be fixed for me to pass the security review.
>>
>>
>> "Session ID not updated [AppScan Report] - To prevent customer sessions
>> and cookies from being stolen or manipulated, a new session should be
>> generated upon each successful login."
>>
>>
>> Can anyone provide some insight as to what the problem could be? I
>> assume this is all managed by glassfish?
>>
>>
>> Chers,
>> Derek
>