Details
-
Feature Request
-
Resolution: Won't Do
-
Major
-
None
-
7.1.1.Final
Description
I tried to find a way so I can regenerate the Session ID.
The server generate the "sessionId" when the user open the login page. After all the "authentication process" inside the secured system, the user still have the same "sessionId".
This is a security problem. This allow a not good intended person to hijack the user session consequently giving all permission to this person that the hijacked session has.
The link bellow show an possible way to fix that inside the program. The problem is that this code doesn't work on JBoss.
https://www.owasp.org/index.php/Session_Fixation_in_Java
