servlet-spec
  1. servlet-spec
  2. SERVLET_SPEC-13

Make session fixation protection part of the spec

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None

      Description

      One of the options for providing protection against session fixation is to change the ID of a session on authentication. It would be good if something along the lines of a changeId() method could be added to the session interface to enable custom security solutions to do this easily. An associated event for sessions listeners would also be required.

        Activity

        markt_asf created issue -
        Hide
        markt_asf added a comment -

        On a related note we may want to consider an option to control if this happens when using container provided authentication.

        Show
        markt_asf added a comment - On a related note we may want to consider an option to control if this happens when using container provided authentication.
        Rajiv Mordani made changes -
        Field Original Value New Value
        Assignee Rajiv Mordani [ mode ]
        Shing Wai Chan made changes -
        Assignee Rajiv Mordani [ mode ] Shing Wai Chan [ swchan2 ]
        Shing Wai Chan made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Hide
        janbartel added a comment -

        Access will be needed to the current request, and also the current response in order to effectively change the session id.

        So I propose we add the following to the HttpSession object:

        public String changeId (HttpServletRequest request, HttpServletResponse response);

        where the return value is the new sessionId.

        Show
        janbartel added a comment - Access will be needed to the current request, and also the current response in order to effectively change the session id. So I propose we add the following to the HttpSession object: public String changeId (HttpServletRequest request, HttpServletResponse response); where the return value is the new sessionId.
        Hide
        gregwilkins added a comment -

        Note also that we have to consider shared session IDs with cross context dispatch.

        If a server is working with cross context dispatch, then many contexts can have the same session ID pointing to different sessions. Changing the session ID on one context will have to change the session ID for all contexts (just as invalidating on one will invalidate on all).

        cheers

        Show
        gregwilkins added a comment - Note also that we have to consider shared session IDs with cross context dispatch. If a server is working with cross context dispatch, then many contexts can have the same session ID pointing to different sessions. Changing the session ID on one context will have to change the session ID for all contexts (just as invalidating on one will invalidate on all). cheers
        Hide
        Shing Wai Chan added a comment -

        Incremental fixes:
        Committed revision 42.

        Modified Paths:
        ---------------
        trunk/servletcontext.fm
        trunk/javaEE.fm
        trunk/eod-pluggability.fm
        trunk/status.fm
        trunk/events.fm
        trunk/requestobject.fm

        Show
        Shing Wai Chan added a comment - Incremental fixes: Committed revision 42. Modified Paths: --------------- trunk/servletcontext.fm trunk/javaEE.fm trunk/eod-pluggability.fm trunk/status.fm trunk/events.fm trunk/requestobject.fm
        Hide
        Shing Wai Chan added a comment -

        Sending sessions.fm
        Sending status.fm
        Transmitting file data ..
        Committed revision 44.

        Show
        Shing Wai Chan added a comment - Sending sessions.fm Sending status.fm Transmitting file data .. Committed revision 44.
        Shing Wai Chan made changes -
        Status In Progress [ 3 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Shing Wai Chan
            Reporter:
            markt_asf
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: