We are working on porting the fix mentioned below from Tomcat to GlassFish.
Shing Wai Chan
On 4/21/10 12:55 AM, glassfish_at_javadesktop.org wrote:
>> http://www.acros.si/papers/session_fixation.pdf
>>
>> Browsers should Disable cookies and WebServers should
>> create a new session(id) tied to the client cert
>> after authentication
>>
>> would suggest taking a long look at "network traffic
>> modification"
>>
> Thanks for your response! I'm painfully aware of this paper and the suggested general remedies. Given that requiring client certs or disabling cookie-based session management are not an option in my case, I'm wondering if there isn't (or should be) a way of configuring Glassfish around this problem, as has been done with Tomcat. (See comment https://issues.apache.org/bugzilla/show_bug.cgi?id=45255#c27)
>
> As a web app developer, how can I change the session id after authentication?
>
> Setting "enableURLRewriting" session-config to false would help by preventing the most easily exploited attacks but it would not solve the problem. I say "would" because from http://forums.java.net/jive/message.jspa?messageID=250324 and http://www.i-coding.de/www/en/glassfish/configuration/session-id.html I gathered that this parameter doesn't work in v2.1. I hope I'm wrong.
>
> J.R.
> [Message sent by forum member 'janonym']
>
> http://forums.java.net/jive/thread.jspa?messageID=398154
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>