In 3.1, by default, the changeSessionIdAuthentication is on.
In 3.0.1, one need to turn on the feature explicitly.
See
http://blogs.sun.com/swchan/entry/change_session_id_on_authentication
Shing Wai Chan
On 2/1/11 9:33 AM, Ryan Lubke wrote:
> Actually, I believe GlassFish by default will assign a new session ID
> after authentication to help prevent this type of attack.
>
> From AuthenticatorBase in the web-core module:
>
> /**
> * Should the session ID, if any, be changed upon a successful
> * authentication to prevent a session fixation attack?
> */
> protected boolean changeSessionIdOnAuthentication = true;
>
> On 2/1/11 9:06 AM, Collins, Russell wrote:
>>
>> Maybe the proper way of asking what I need is by saying that I was
>> wondering if Glassfish provided a mechanism to prevent Session
>> Fixation attacks.
>>
>> * *
>>
>> *Russell Collins*
>>
>> Sr. Software Engineer
>>
>> "Do or do not, there is no try." - Yoda
>>
>> *From:* Collins, Russell [mailto:rcollins_at_corelogic.com]
>> *Sent:* Tuesday, February 01, 2011 8:17 AM
>> *To:* 'users_at_glassfish.java.net'
>> *Subject:* Glassfish 3.0.1 - Session Reset
>>
>> I have been given a task to research and come up with a solution
>> regarding a security issue. When a user logs into our application,
>> we are looking to reset the session to prevent an old session from
>> being compromised. I am told that there is a facility in BEA
>> Weblogic that does this. Is there a facility in Glassfish 3.0.1 that
>> I can use that will do this operation or is this something that I am
>> going to have to create from scratch? Any help and direction you can
>> give me will be greatly appreciated.
>>
>> *Russell Collins*
>>
>> Sr. Software Engineer
>>
>> ------------------------------------------------------------------------
>>
>> ***************************
>> This message may contain confidential or proprietary information
>> intended only
>> for the use of the addressee(s) named above or may contain
>> information that is
>> legally privileged. If you are not the intended addressee, or the person
>> responsible for delivering it to the intended addressee, you are hereby
>> notified that reading, disseminating, distributing or copying this
>> message is
>> strictly prohibited. If you have received this message by mistake, please
>> immediately notify us by replying to the message and delete the original
>> message and any copies immediately thereafter.
>>
>> Thank you.
>> ****************************
>>
>>
>> ------------------------------------------------------------------------
>> ***************************
>> This message may contain confidential or proprietary information
>> intended only
>> for the use of the addressee(s) named above or may contain
>> information that is
>> legally privileged. If you are not the intended addressee, or the person
>> responsible for delivering it to the intended addressee, you are hereby
>> notified that reading, disseminating, distributing or copying this
>> message is
>> strictly prohibited. If you have received this message by mistake, please
>> immediately notify us by replying to the message and delete the original
>> message and any copies immediately thereafter.
>>
>> Thank you.
>> ****************************
>