[Esapi-user] [OWASP-ESAPI] ESAPI Encryptor

Kevin W. Wall kevin.w.wall at gmail.com
Sat Jan 16 11:00:54 EST 2010

Jeff Williams wrote:
> I agree that using standard session mechanisims is the best course for
> most apps.
> Also should note that ESAPI automatically changes the sessionid upon
> login (or manually) to prevent fixation. In my experience very few
> applications do this properly.

Nice feature. I agree...most apps do it wrong.
Does one have to use the ESAPI Authenticator to have it do that
or is there another way? Because I don't think that many Fortune 500
companies are going to use the reference Authenticator.

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list