Fortify flagging Session Fixation vulnerability, may be a flase positive?
In my Java web application SCA is flagging Session Fixation issue in login page however I doubt it might be a flase positive. Its quite old application developed few years back. "J_security_check" is used for handling login mechanism which uses "org.jboss.security.auth.spi.DatabaseServerLoginModule".
Application doesn't show a session id/jsession id in the url and it interacts through secured channel, I mean "https". I suspect this is false positive the reason is as part of the fortify analysis jboss code isn't configured to analyse and the analysis happens on local/development environment where interation doesn't happen on secured channel, I mean to say its "http" not "https".
Could you please guide is this false positive or Am I missing anything here??
Thanks in advance.