Skip to main content

[JIRA] Commented: (SERVLET_SPEC-13) Make session fixation protection part of the spec

  • From: "janbartel (JIRA)" <jira-no-reply@...>
  • To: issues@...
  • Subject: [JIRA] Commented: (SERVLET_SPEC-13) Make session fixation protection part of the spec
  • Date: Mon, 6 Feb 2012 22:59:53 +0000 (GMT+00:00)
  • Auto-submitted: auto-generated


    [ 
http://java.net/jira/browse/SERVLET_SPEC-13?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=330773#action_330773
 ] 

janbartel commented on SERVLET_SPEC-13:
---------------------------------------

Access will be needed to the current request, and also the current response 
in order to effectively change the session id.

So I propose we add the following to the HttpSession object:

  public String changeId (HttpServletRequest request, HttpServletResponse 
response);

where the return value is the new sessionId.



> Make session fixation protection part of the spec
> -------------------------------------------------
>
>                 Key: SERVLET_SPEC-13
>                 URL: http://java.net/jira/browse/SERVLET_SPEC-13
>             Project: servlet-spec
>          Issue Type: Improvement
>            Reporter: markt_asf
>            Assignee: Shing Wai Chan
>
> One of the options for providing protection against session fixation is to 
> change the ID of a session on authentication. It would be good if something 
> along the lines of a changeId() method could be added to the session 
> interface to enable custom security solutions to do this easily. An 
> associated event for sessions listeners would also be required.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://java.net/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


[JIRA] Commented: (SERVLET_SPEC-13) Make session fixation protection part of the spec

janbartel (JIRA) 02/06/2012

<Possible follow-up(s)>

[JIRA] Commented: (SERVLET_SPEC-13) Make session fixation protection part of the spec

gregwilkins (JIRA) 02/06/2012
 
 
Close
loading
Please Confirm
Close