Idea ID: 1652394

Application assessment - HPOM adminUI session fixation

Status : Archived
over 3 years ago

It is possible to set the session ID to a previously issued value when accessing unauthenticated parts of the website. Upon successful authentication, the session ID is not invalidated and continues being used. This vulnerability is known as 'session fixation'.

Impact / Technical Details:
Failing to regenerate the session ID after authentication renders the application vulnerable to session fixation attacks. This attack consists in a user being coerced into using a chosen session ID determined by an attacker. Once the victim logs in to the system, the attacker can hijack this authenticated session by re-using the fixed session ID attached to the victim. Particularly, the tested application fails to reissue a new JSESSIONID cookie.

To prevent session fixation attacks, it is recommended that the application issues a new randomly generated session identifier when the user moves into the authenticated part of the website. For more information, please see article

We tried to set the parameter "token.per.request=true" what are described in Administration Manuals, but afterwe unable to use AdminUI. After login if we click to some button in menu, any page can not be opened.
QCCR1A116412 Security Compliancy in OMU Admin GUI(CSRF-protection)

we change parameter in from false to true:


            and executed the

adminui start –clean

Original setting:


  • Moving this Idea to “Archived” status as it has been open for > 1 year and has not gathered broad customer interest.

    NOTE: Archived ideas may be commented upon but cannot receive votes. Archived ideas may be re-opened based on community input.



    if we use token.per.request=true we able to login to Admin UI, but navigation is not possible. Any of Admin UI menu buttons causes:  "This page can't be displayed" .
    see attached picture:

    1. Login to AdminUI
    2. Click to HPOM button on top menu
    3. Page can't be displayed






  • Dear Submitter,

    regarding this request, the mentioned QCCR1A116412 should be able to address that. If the AdminUI does not work with “token.per.request=true”, then that is a defect, and you can raise a support case.

     Please be aware of the following:

    Using “token.per.request=true” is tricky. Since a new token is created for every request, several things will not work:

    - Using browser back button

    - Using multiple tabs (an “old” tab will have an old ID and thus going back to that tab and trying to use it again will fail)

    So, if there are security requirements that need this, you can use AdminUI only with one tab at a time and only forward navigation (using links and menues within the adminUI web page, no brower navigation). If even that doesn’t work, then that is a defect.

    Please confirm the above.


    Moderator, OpsBridge Idea Exchange