shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Devendra Mani (JIRA)" <>
Subject [jira] [Commented] (SHIRO-170) Force New Session ID on Authentication
Date Fri, 10 Jul 2015 10:14:06 GMT


Devendra Mani commented on SHIRO-170:

I feel you are using spring framework and using shiro for authentication. The configuration
looks correct but i have not checked it personally. The implementation that you show of customer
filter doesn't do anything specific (if I am right) . If you are not willing to change any
default behaviour then there is no need to extend and use your own filter. But if you need
some customization like OWASP session fixation resolution, Account lock feature , etc then
you have to extend it. 

> Force New Session ID on Authentication
> --------------------------------------
>                 Key: SHIRO-170
>                 URL:
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authentication (log-in), Configuration
>    Affects Versions: 1.0.0, 1.1.0, 1.2.0
>            Reporter: Jakob K├╝lzer
>            Priority: Minor
>             Fix For: 1.3.0
> I am working on an application that has very high security standards. One of the issues
raised after a full audit of the app is that it might be vulnerable for session fixation attacks.
Shiro does not reset the Session ID after successful authentication, which would prevent this
type of attack. 
> IMHO this would add another level of security to Shiro beneficial for all kinds of applications.

> OWASP has a good page on session fixation attacks:

This message was sent by Atlassian JIRA

View raw message