[Esapi-user] [OWASP-ESAPI] ESAPI Encryptor
jeff.williams at aspectsecurity.com
Sat Jan 16 11:46:43 EST 2010
You can use HttpUtilities.changeSessionIdentifier() which preserves the
existing session, but gives it a new JSESSIONID. I worked with the
Servlet 3.0 team to try to get this adopted in the spec, but perhaps I
wasn't convincing enough.
From: Kevin W. Wall [mailto:kevin.w.wall at gmail.com]
Sent: Saturday, January 16, 2010 11:01 AM
To: Jeff Williams
Cc: Fabio Cerullo; ESAPI-Users
Subject: Re: [Esapi-user] [OWASP-ESAPI] ESAPI Encryptor
Jeff Williams wrote:
> I agree that using standard session mechanisims is the best course for
> most apps.
> Also should note that ESAPI automatically changes the sessionid upon
> login (or manually) to prevent fixation. In my experience very few
> applications do this properly.
Nice feature. I agree...most apps do it wrong.
Does one have to use the ESAPI Authenticator to have it do that
or is there another way? Because I don't think that many Fortune 500
companies are going to use the reference Authenticator.
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
More information about the Esapi-user