From: <glassfish_at_javadesktop.org>
Date: Wed, 21 Apr 2010 00:55:37 PDT

> http://www.acros.si/papers/session_fixation.pdf
>
> Browsers should Disable cookies and WebServers should
> create a new session(id) tied to the client cert
> after authentication
>
> would suggest taking a long look at "network traffic
> modification"

Thanks for your response! I'm painfully aware of this paper and the suggested general remedies. Given that requiring client certs or disabling cookie-based session management are not an option in my case, I'm wondering if there isn't (or should be) a way of configuring Glassfish around this problem, as has been done with Tomcat. (See comment https://issues.apache.org/bugzilla/show_bug.cgi?id=45255#c27)

As a web app developer, how can I change the session id after authentication?

Setting "enableURLRewriting" session-config to false would help by preventing the most easily exploited attacks but it would not solve the problem. I say "would" because from http://forums.java.net/jive/message.jspa?messageID=250324 and http://www.i-coding.de/www/en/glassfish/configuration/session-id.html I gathered that this parameter doesn't work in v2.1. I hope I'm wrong.

J.R.
[Message sent by forum member 'janonym']

http://forums.java.net/jive/thread.jspa?messageID=398154