Jan Bernhardt created FEDIZ-152:
-----------------------------------
Summary: Disable URL rewrites with SessionID to avoid session
hijacking
Key: FEDIZ-152
URL: https://issues.apache.org/jira/browse/FEDIZ-152
Project: CXF-Fediz
Issue Type: Improvement
Components: IDP, OIDC
Reporter: Jan Bernhardt
Assignee: Jan Bernhardt
Fix For: 1.3.0
if Cookies are disabled within the Browser the servlet container (like Tomcat)
will usually switch to URL rewriting, by adding the JSessionID to the URL.
This is dangerous because users tend to copy URLs from their browser and post
them in chat or public forums, thus allowing someone else to hijack their
session.
Therefor it is best practice to ensure that a sessionID will not be included
within the URL.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
