Thank you Shing and Ryan. You have been very helpful.
Russell Collins
Sr. Software Engineer
CoreLogic Spatial Solutions
"Do or do not, there is no try." - Yoda
From: Shing Wai Chan [mailto:shing.wai.chan_at_oracle.com]
Sent: Tuesday, February 01, 2011 1:09 PM
To: users_at_glassfish.java.net
Subject: Re: Glassfish 3.0.1 - Session Reset
In 3.1, by default, the changeSessionIdAuthentication is on.
In 3.0.1, one need to turn on the feature explicitly.
See
http://blogs.sun.com/swchan/entry/change_session_id_on_authentication
Shing Wai Chan
On 2/1/11 9:33 AM, Ryan Lubke wrote:
Actually, I believe GlassFish by default will assign a new session ID after authentication to help prevent this type of attack.
From AuthenticatorBase in the web-core module:
/**
* Should the session ID, if any, be changed upon a successful
* authentication to prevent a session fixation attack?
*/
protected boolean changeSessionIdOnAuthentication = true;
On 2/1/11 9:06 AM, Collins, Russell wrote:
Maybe the proper way of asking what I need is by saying that I was wondering if Glassfish provided a mechanism to prevent Session Fixation attacks.
Russell Collins
Sr. Software Engineer
"Do or do not, there is no try." - Yoda
From: Collins, Russell [mailto:rcollins_at_corelogic.com]
Sent: Tuesday, February 01, 2011 8:17 AM
To: 'users_at_glassfish.java.net<mailto:users_at_glassfish.java.net>'
Subject: Glassfish 3.0.1 - Session Reset
I have been given a task to research and come up with a solution regarding a security issue. When a user logs into our application, we are looking to reset the session to prevent an old session from being compromised. I am told that there is a facility in BEA Weblogic that does this. Is there a facility in Glassfish 3.0.1 that I can use that will do this operation or is this something that I am going to have to create from scratch? Any help and direction you can give me will be greatly appreciated.
Russell Collins
Sr. Software Engineer
________________________________
***************************
This message may contain confidential or proprietary information intended only
for the use of the addressee(s) named above or may contain information that is
legally privileged. If you are not the intended addressee, or the person
responsible for delivering it to the intended addressee, you are hereby
notified that reading, disseminating, distributing or copying this message is
strictly prohibited. If you have received this message by mistake, please
immediately notify us by replying to the message and delete the original
message and any copies immediately thereafter.
Thank you.
****************************
________________________________
***************************
This message may contain confidential or proprietary information intended only
for the use of the addressee(s) named above or may contain information that is
legally privileged. If you are not the intended addressee, or the person
responsible for delivering it to the intended addressee, you are hereby
notified that reading, disseminating, distributing or copying this message is
strictly prohibited. If you have received this message by mistake, please
immediately notify us by replying to the message and delete the original
message and any copies immediately thereafter.
Thank you.
****************************
________________________________
***************************
This message may contain confidential or proprietary information intended only
for the use of the addressee(s) named above or may contain information that is
legally privileged. If you are not the intended addressee, or the person
responsible for delivering it to the intended addressee, you are hereby
notified that reading, disseminating, distributing or copying this message is
strictly prohibited. If you have received this message by mistake, please
immediately notify us by replying to the message and delete the original
message and any copies immediately thereafter.
Thank you.
****************************