It is possible to set the session ID to a previously issued value when accessing unauthenticated parts of the website. Upon successful authentication, the session ID is not invalidated and continues being used. This vulnerability is known as 'session fixation'.
Impact / Technical Details:
Failing to regenerate the session ID after authentication renders the application vulnerable to session fixation attacks. This attack consists in a user being coerced into using a chosen session ID determined by an attacker. Once the victim logs in to the system, the attacker can hijack this authenticated session by re-using the fixed session ID attached to the victim. Particularly, the tested application fails to reissue a new JSESSIONID cookie.
To prevent session fixation attacks, it is recommended that the application issues a new randomly generated session identifier when the user moves into the authenticated part of the website. For more information, please see article http://www.owasp.org/index.php/Top_10_2007-A7
We tried to set the parameter "token.per.request=true" what are described in Administration Manuals, but afterwe unable to use AdminUI. After login if we click to some button in menu, any page can not be opened.
QCCR1A116412 Security Compliancy in OMU Admin GUI(CSRF-protection)
we change parameter in security.properties from false to true:
and executed the
adminui start –clean