[Esapi-user] [OWASP-ESAPI] ESAPI Encryptor

Kevin W. Wall kevin.w.wall at gmail.com
Sat Jan 16 11:00:54 EST 2010


Jeff Williams wrote:
> I agree that using standard session mechanisims is the best course for
> most apps.
> 
> Also should note that ESAPI automatically changes the sessionid upon
> login (or manually) to prevent fixation. In my experience very few
> applications do this properly.

Nice feature. I agree...most apps do it wrong.
Does one have to use the ESAPI Authenticator to have it do that
or is there another way? Because I don't think that many Fortune 500
companies are going to use the reference Authenticator.

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME


More information about the Esapi-user mailing list