cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jan Bernhardt (JIRA)" <j...@apache.org>
Subject [jira] [Created] (FEDIZ-152) Disable URL rewrites with SessionID to avoid session hijacking
Date Wed, 03 Feb 2016 14:04:39 GMT
Jan Bernhardt created FEDIZ-152:
-----------------------------------

             Summary: Disable URL rewrites with SessionID to avoid session hijacking
                 Key: FEDIZ-152
                 URL: https://issues.apache.org/jira/browse/FEDIZ-152
             Project: CXF-Fediz
          Issue Type: Improvement
          Components: IDP, OIDC
            Reporter: Jan Bernhardt
            Assignee: Jan Bernhardt
             Fix For: 1.3.0


if Cookies are disabled within the Browser the servlet container (like Tomcat) will usually
switch to URL rewriting, by adding the JSessionID to the URL.
This is dangerous because users tend to copy URLs from their browser and post them in chat
or public forums, thus allowing someone else to hijack their session.

Therefor it is best practice to ensure that a sessionID will not be included within the URL.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message