[Esapi-user] [OWASP-ESAPI] ESAPI Encryptor

Jeff Williams jeff.williams at aspectsecurity.com
Sat Jan 16 11:46:43 EST 2010


You can use HttpUtilities.changeSessionIdentifier() which preserves the
existing session, but gives it a new JSESSIONID.  I worked with the
Servlet 3.0 team to try to get this adopted in the spec, but perhaps I
wasn't convincing enough.

--Jeff


-----Original Message-----
From: Kevin W. Wall [mailto:kevin.w.wall at gmail.com] 
Sent: Saturday, January 16, 2010 11:01 AM
To: Jeff Williams
Cc: Fabio Cerullo; ESAPI-Users
Subject: Re: [Esapi-user] [OWASP-ESAPI] ESAPI Encryptor

Jeff Williams wrote:
> I agree that using standard session mechanisims is the best course for
> most apps.
> 
> Also should note that ESAPI automatically changes the sessionid upon
> login (or manually) to prevent fixation. In my experience very few
> applications do this properly.

Nice feature. I agree...most apps do it wrong.
Does one have to use the ESAPI Authenticator to have it do that
or is there another way? Because I don't think that many Fortune 500
companies are going to use the reference Authenticator.

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME


More information about the Esapi-user mailing list