[SERVLET_SPEC-13] Make session fixation protection part of the spec Created: 04/Oct/11 Updated: 19/Sep/12 Resolved: 19/Sep/12
|Reporter:||markt_asf||Assignee:||Shing Wai Chan|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
One of the options for providing protection against session fixation is to change the ID of a session on authentication. It would be good if something along the lines of a changeId() method could be added to the session interface to enable custom security solutions to do this easily. An associated event for sessions listeners would also be required.
|Comment by markt_asf [ 04/Oct/11 ]|
On a related note we may want to consider an option to control if this happens when using container provided authentication.
|Comment by janbartel [ 06/Feb/12 ]|
Access will be needed to the current request, and also the current response in order to effectively change the session id.
So I propose we add the following to the HttpSession object:
public String changeId (HttpServletRequest request, HttpServletResponse response);
where the return value is the new sessionId.
|Comment by gregwilkins [ 06/Feb/12 ]|
Note also that we have to consider shared session IDs with cross context dispatch.
If a server is working with cross context dispatch, then many contexts can have the same session ID pointing to different sessions. Changing the session ID on one context will have to change the session ID for all contexts (just as invalidating on one will invalidate on all).
|Comment by Shing Wai Chan [ 14/Sep/12 ]|
|Comment by Shing Wai Chan [ 19/Sep/12 ]|