Announcement Announcement Module
No announcement yet.
What is SessionFixationProtectionFilter? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • What is SessionFixationProtectionFilter?

    Why we used SessionFixationProtectionFilter?

  • #2
    If Session Fixation Protection is enabled Spring Security will add a filter into stack, its name is SessionFixationProtectionFilter. what it is, plz just look into doc for "Session Fixation Protection".


    • #3
      I read this one....
      Indicates whether an existing session should be invalidated when a user authenticates and a new session
      started. If set to "none" no change will be made. "newSession" will create a new empty session.
      "migrateSession" will create a new session and copy the session attributes to the new session. Defaults
      to "migrateSession".

      In thi Scenario:
      Mallory has determined that http://unsafe/ accepts any session identifier, accepts session identifiers from query strings and has no security validation. http://unsafe/ is thus not secure.
      Mallory sends Alice an e-mail: "Hey, check this out, there is a cool new account summary feature on our bank, http://unsafe/?SID=I_WILL_KNOW_THE_SID". Mallory is trying to fixate the SID to I_WILL_KNOW_THE_SID.
      Alice is interested and visits http://unsafe/?SID=I_WILL_KNOW_THE_SID. The usual log-on screen pops up, and Alice logs on.
      Mallory visits http://unsafe/?SID=I_WILL_KNOW_THE_SID and now has unlimited access to Alice's account.

      but i m getting exactly....
      as per my understading Attacker will use the use the Session ID of original User.
      and in "migrateSession" option it will copy the attributes to new Session then how can it will check new Session is used by original User.means how can original User identified?
      Please Explain me How exatly this Filter Works?
      Thanx in Advance
      Last edited by sutharhemal; Mar 3rd, 2012, 06:04 AM.