users@glassfish.java.net

Re: Glassfish 3.0.1 - Session Reset

From: Ryan Lubke <ryan.lubke_at_oracle.com>
Date: Tue, 01 Feb 2011 09:33:41 -0800

Actually, I believe GlassFish by default will assign a new session ID
after authentication to help prevent this type of attack.

 From AuthenticatorBase in the web-core module:

    /**
      * Should the session ID, if any, be changed upon a successful
      * authentication to prevent a session fixation attack?
      */
     protected boolean changeSessionIdOnAuthentication = true;

On 2/1/11 9:06 AM, Collins, Russell wrote:
>
> Maybe the proper way of asking what I need is by saying that I was
> wondering if Glassfish provided a mechanism to prevent Session
> Fixation attacks.
>
> **
>
> *Russell Collins*
>
> Sr. Software Engineer
>
> "Do or do not, there is no try." - Yoda
>
> *From:*Collins, Russell [mailto:rcollins_at_corelogic.com]
> *Sent:* Tuesday, February 01, 2011 8:17 AM
> *To:* 'users_at_glassfish.java.net'
> *Subject:* Glassfish 3.0.1 - Session Reset
>
> I have been given a task to research and come up with a solution
> regarding a security issue. When a user logs into our application, we
> are looking to reset the session to prevent an old session from being
> compromised. I am told that there is a facility in BEA Weblogic that
> does this. Is there a facility in Glassfish 3.0.1 that I can use that
> will do this operation or is this something that I am going to have to
> create from scratch? Any help and direction you can give me will be
> greatly appreciated.
>
> *Russell Collins*
>
> Sr. Software Engineer
>
> ------------------------------------------------------------------------
>
> ***************************
> This message may contain confidential or proprietary information
> intended only
> for the use of the addressee(s) named above or may contain information
> that is
> legally privileged. If you are not the intended addressee, or the person
> responsible for delivering it to the intended addressee, you are hereby
> notified that reading, disseminating, distributing or copying this
> message is
> strictly prohibited. If you have received this message by mistake, please
> immediately notify us by replying to the message and delete the original
> message and any copies immediately thereafter.
>
> Thank you.
> ****************************
>
>
> ------------------------------------------------------------------------
> ***************************
> This message may contain confidential or proprietary information
> intended only
> for the use of the addressee(s) named above or may contain information
> that is
> legally privileged. If you are not the intended addressee, or the person
> responsible for delivering it to the intended addressee, you are hereby
> notified that reading, disseminating, distributing or copying this
> message is
> strictly prohibited. If you have received this message by mistake, please
> immediately notify us by replying to the message and delete the original
> message and any copies immediately thereafter.
>
> Thank you.
> ****************************