Reputation: 398
Session Fixation Am i secure?
I am trying to implement security for my project that prevents session fixation.
As i have no access to the component (a filter from a certain library, lets call it MagicFilter) that handles the whole session-creation and validation, i was trying to find out another way of possibly doing it.
Now, consider this scenario for my session:
- User requests the login-page
- MagicFilter sets a cookie with a JSESSIONID etc
- other filters do some work ...
- Java Spring MVC, so as last step before the user sees the LoginView i have access to stuff in my LoginController. Here i .invalidate() the session right before i return the view.
So basically the user never has a real and valid session-ID while at the login-page. Only after he logs in the MagicFilter assigns another session-ID which will then be sticked to, as i only invalide() the session-ID in my LoginController.
But this feels very rough and i kind of had to "hack" around the automatic process of the MagicFilter. Can anyone see if this should be safe in terms of session fixation or not?
Upvotes: 0
Views: 60
Answers (0)
Related Questions
- Session Fixation in ASP.NET
- Endless session: any security risk?
- Working with Security and Sessions, is this secure enough?
- Is session safe enough to authenticate users?
- How to protect my site from session fixation?
- Session fixation with session in cookies
- Does Storing Sessions In Database Prevent Hijacking/Fixation
- Session hijacking and Session fixation
- Session not completely abandoned
- Session Fixation in ASP.Net MVC