Reputation: 1
JSP directive session="false"
If I don't use session="false" directive in the Login page in the web application, will jSESSIONID be created in Login page itself.
Also then is it possible to hack the application and access the files by using the created jSESSIONID, without even login authentication , just by visting the Login page.
Your response is highly appreciated.
Thanks, Pradeep G
Upvotes: 0
Views: 352
Answers (1)
Reputation: 262860
Here is one possible attack vector:
You open the login page, but don't log in, because it is lunch time.
Bad Actor walks into your office, writes down your jSESSIONID.
After lunch, you log in. That jSESSIONID is now useful.
Bad Actor can use your jSESSIONID from his own browser to look at your session.
Solution:
Create a brand-new jSESSIONID after the successful login (so that the one from before authentication does not suddenly become valuable).
Upvotes: 1
Related Questions
- Why set a JSP page session = "false" directive?
- How to remove session attribute on jspDestroy() method
- How to invalidate the session in jsp
- How do you disable session creation for all JSPs with Tiles?
- JSP Session unsual behavior
- JSP session problem
- How to apply session on JSP page without using <% page session =""%>
- jsp- session -how to use old session (if exist) but not create a new one
- Invalidate Session in JSP
- Disable sessions in Tomcat 6 for JSP