users@glassfish.java.net

Session fixation countermeasures

From: <glassfish_at_javadesktop.org>
Date: Mon, 19 Apr 2010 23:54:44 PDT

Hi all,

I'm looking for information on preventing Session fixation attacks to web-apps running on Glassfish. For Tomcat, the problem seems to have been solved transparently by the container since 5.5.29, 6.0.21, and 7.x (see https://issues.apache.org/bugzilla/show_bug.cgi?id=45255). What would be the right thing to do for Glassfish v2.1? Did I miss something obvious? Any experiences or insight greatly appreciated.

J.R.
[Message sent by forum member 'janonym']

http://forums.java.net/jive/thread.jspa?messageID=397950