DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22649>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22649 putting the SSL session ID into the jsession to avoid "session fixation" attacks Summary: putting the SSL session ID into the jsession to avoid "session fixation" attacks Product: Struts Version: 1.0 Final Platform: Other URL: http://marc.theaimsgroup.com/?l=cryptography&m=105552689 802076&w=2 OS/Version: Other Status: NEW Severity: Enhancement Priority: Other Component: Documentation AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] As per the above URL, there is a little note attack possibility. Besides always forcing a new session to be created after a successful login, another good defense would be to tie the SSL session ID with the jsessionid because an attacker would always get a different session ID. Please document how one would do this with struts. More discussion in this http://marc.theaimsgroup.com/?l=cryptography&m=105563422507865&w=2 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
