[jira] [Updated] (FEDIZ-152) Disable URL rewrites with SessionID to avoid session hijacking

Jan Bernhardt (JIRA) Mon, 08 Feb 2016 23:06:12 -0800

     [ 
https://issues.apache.org/jira/browse/FEDIZ-152?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Jan Bernhardt updated FEDIZ-152:
--------------------------------
    Fix Version/s: 1.2.2

> Disable URL rewrites with SessionID to avoid session hijacking
> --------------------------------------------------------------
>
>                 Key: FEDIZ-152
>                 URL: https://issues.apache.org/jira/browse/FEDIZ-152
>             Project: CXF-Fediz
>          Issue Type: Improvement
>          Components: IDP, OIDC
>            Reporter: Jan Bernhardt
>            Assignee: Jan Bernhardt
>             Fix For: 1.3.0, 1.2.2
>
>
> if Cookies are disabled within the Browser the servlet container (like 
> Tomcat) will usually switch to URL rewriting, by adding the JSessionID to the 
> URL.
> This is dangerous because users tend to copy URLs from their browser and post 
> them in chat or public forums, thus allowing someone else to hijack their 
> session.
> Therefor it is best practice to ensure that a sessionID will not be included 
> within the URL.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (FEDIZ-152) Disable URL rewrites with SessionID to avoid session hijacking

Reply via email to