[
https://issues.apache.org/jira/browse/SHIRO-170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12873422#action_12873422
]
Ali Shirvani edited comment on SHIRO-170 at 5/31/10 2:39 AM:
-------------------------------------------------------------
Is there any way to do this without any change in source code?
Is there anyone how know how should I do this on my own?
----
I solved this without any change in source code.
All thing that you need is to stop the current session and then create new
session.
here is the snippet:
currentUser.login(token);
currentUser.getSession().stop();
currentUser.getSession(true);
was (Author: alish):
Is there any way to do this without any change in source code?
Is there anyone how know how should I do this on my own?
> Force New Session ID on Authentication
> --------------------------------------
>
> Key: SHIRO-170
> URL: https://issues.apache.org/jira/browse/SHIRO-170
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Configuration
> Reporter: Jakob Külzer
> Priority: Minor
>
> I am working on an application that has very high security standards. One of
> the issues raised after a full audit of the app is that it might be
> vulnerable for session fixation attacks. Shiro does not reset the Session ID
> after successful authentication, which would prevent this type of attack.
> IMHO this would add another level of security to Shiro beneficial for all
> kinds of applications.
> OWASP has a good page on session fixation attacks:
> http://www.owasp.org/index.php/Session_fixation
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
