I need to prevent Session Fixation, a particular type of session hijacking, in a Java web application running in JBoss. However, it appears that the standard idiom doesn't work in JBoss. Can this be worked around?
Resolving Session Fixation in JBoss
I came to know below code setting snippet from one of the fourm. And i added below lines. But when i print the session ID after and before log in into the application it is same. How would i test session Fixation.
D:\jboss-5.1.0.GA\bin\run.cof file and add the below line. set "JAVA_OPTS=%JAVA_OPTS% -Dorg.apache.catalina.connector.Request.SESSION_ID_CHECK=false"
in each context.xml of the jboss applications. D:\jboss-5.1.0.GA\server\default\deploy\jbossweb.sar\context.xml
One workaround is to store the client address in the session. A response wrapper should validate the client address set in the session is same as the one accessing the session.
This problem and the specific case in which it occurs is a problem in Tomcat as well as JBoss. Tomcat shares the emptySessionPath="true" effect (and actually JBoss inherits it from Tomcat).
This really seems like a bug in Tomcat and JBoss when you are trying to prevent session fixation attacks but the servlet spec (at least version 2.3) does not actually require the JSESSIONID to be defined or redefined according to any specific logic. Perhaps this has been cleaned up in later versions.