[
https://issues.apache.org/jira/browse/SHIRO-170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13284391#comment-13284391
]
Luke Biddell commented on SHIRO-170:
------------------------------------
+1 voting for this in the next release.
In the meantime I have hacked up the suggested fix by Les. I already have my
own AuthenticationFilter so I've rather cheekily overriden executeLogin and
done this...
@Override
protected boolean executeLogin(final ServletRequest request, final
ServletResponse response) throws Exception {
final AuthenticationToken token = createToken(request, response);
if (token == null) {
String msg = "createToken method implementation returned null. A
valid non-null AuthenticationToken "
+ "must be created in order to execute a login attempt.";
throw new IllegalStateException(msg);
}
try {
// Stop session fixation issues.
// https://issues.apache.org/jira/browse/SHIRO-170
final Subject subject = getSubject(request, response);
Session session = subject.getSession();
// Store the attributes so we can copy them to the new session
after auth.
final LinkedHashMap<Object, Object> attributes = new
LinkedHashMap<Object, Object>();
final Collection<Object> keys = session.getAttributeKeys();
for (Object key : keys) {
final Object value = session.getAttribute(key);
if (value != null) {
attributes.put(key, value);
}
}
session.stop();
subject.login(token);
// Restore the attributes.
session = subject.getSession();
for (final Object key : attributes.keySet()) {
session.setAttribute(key, attributes.get(key));
}
return onLoginSuccess(token, subject, request, response);
} catch (AuthenticationException e) {
return onLoginFailure(token, e, request, response);
}
}
Not ideal, but WFM right now.
> Force New Session ID on Authentication
> --------------------------------------
>
> Key: SHIRO-170
> URL: https://issues.apache.org/jira/browse/SHIRO-170
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Configuration
> Affects Versions: 1.0.0, 1.1.0, 1.2.0
> Reporter: Jakob Külzer
> Priority: Minor
> Fix For: 1.3.0
>
>
> I am working on an application that has very high security standards. One of
> the issues raised after a full audit of the app is that it might be
> vulnerable for session fixation attacks. Shiro does not reset the Session ID
> after successful authentication, which would prevent this type of attack.
> IMHO this would add another level of security to Shiro beneficial for all
> kinds of applications.
> OWASP has a good page on session fixation attacks:
> http://www.owasp.org/index.php/Session_fixation
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
