[Esapi-user] [OWASP-ESAPI] ESAPI Encryptor

Jeff Williams jeff.williams at aspectsecurity.com
Sat Jan 16 11:46:43 EST 2010

You can use HttpUtilities.changeSessionIdentifier() which preserves the
existing session, but gives it a new JSESSIONID.  I worked with the
Servlet 3.0 team to try to get this adopted in the spec, but perhaps I
wasn't convincing enough.


-----Original Message-----
From: Kevin W. Wall [mailto:kevin.w.wall at gmail.com] 
Sent: Saturday, January 16, 2010 11:01 AM
To: Jeff Williams
Cc: Fabio Cerullo; ESAPI-Users
Subject: Re: [Esapi-user] [OWASP-ESAPI] ESAPI Encryptor

Jeff Williams wrote:
> I agree that using standard session mechanisims is the best course for
> most apps.
> Also should note that ESAPI automatically changes the sessionid upon
> login (or manually) to prevent fixation. In my experience very few
> applications do this properly.

Nice feature. I agree...most apps do it wrong.
Does one have to use the ESAPI Authenticator to have it do that
or is there another way? Because I don't think that many Fortune 500
companies are going to use the reference Authenticator.

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list