0 Replies Latest reply: Feb 26, 2012 8:34 PM by Mandar Tuljapurkar RSS

    JSESSIONID session fixation issue

    Mandar Tuljapurkar

      Hi,

        This is in relation with Jive SBS pulbic 4.5.4. I noticed that the application continues to maintain the same JSESSIONID cookie value even after a guest user authenticates.

      This is typically resolved by making modifications to the Tomcat configuration. But it looks like authentication is being handled by spring security and specifically, JiveAuthenticationTranslationFilter needs to be modified to reset the cookie.

       

      My question is, should I invalidate the request.getSession() or I need to explicitly reset the cookie as well?

      Is there any other dependency?

       

      Thanks in advance,

      Mandar