This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.
No announcement yet.
What is SessionFixationProtectionFilter?Page Title Module
If Session Fixation Protection is enabled Spring Security will add a filter into stack, its name is SessionFixationProtectionFilter. what it is, plz just look into doc for "Session Fixation Protection".
I read this one....
Indicates whether an existing session should be invalidated when a user authenticates and a new session
started. If set to "none" no change will be made. "newSession" will create a new empty session.
"migrateSession" will create a new session and copy the session attributes to the new session. Defaults
In thi Scenario:
Mallory has determined that http://unsafe/ accepts any session identifier, accepts session identifiers from query strings and has no security validation. http://unsafe/ is thus not secure.
Mallory sends Alice an e-mail: "Hey, check this out, there is a cool new account summary feature on our bank, http://unsafe/?SID=I_WILL_KNOW_THE_SID". Mallory is trying to fixate the SID to I_WILL_KNOW_THE_SID.
Alice is interested and visits http://unsafe/?SID=I_WILL_KNOW_THE_SID. The usual log-on screen pops up, and Alice logs on.
Mallory visits http://unsafe/?SID=I_WILL_KNOW_THE_SID and now has unlimited access to Alice's account.
but i m getting exactly....
as per my understading Attacker will use the use the Session ID of original User.
and in "migrateSession" option it will copy the attributes to new Session then how can it will check new Session is used by original User.means how can original User identified?
Please Explain me How exatly this Filter Works?
Thanx in Advance