Steps to Reproduce:

1. Get cookie from the browser on machine A.

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cookie: JSESSIONID=DWQ6ztJvJeEZA77uVzE3Dg__

  ^^^^^^^^^^^^^^^^^^^^^^^^

Connection: keep-alive

Cache-Control: max-age=0

2. Clear cookie of browser on machine B.

3. Request project homepage on machine B and modify the set-cookie to A's cookie in the response.

GET XXX HTTP/1.1

Host: XXXXXX

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

HTTP/1.1 200 OK

Date: Thu, 15 Aug 2013 10:45:23 GMT

X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1

Set-Cookie: JSESSIONID=DWQ6ztJvJeEZA77uVzE3Dg__; Path=/; Secure

  ^^^^^^^^^^^^^^^^^^^^^^^^^

Cache-Control: no-cache

Content-Type: text/html;charset=UTF-8

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Content-Length: 24896

4. Login in browser of machine B.

Actual results:

Both machine A and B login the project successfully.

Expected results:

Machine A should not login without providing any credential.

Additional info: 

Attacker can modify user's cookie by sending a malicious link to user.

Hi Tomaz ,

     We have another project which based on JBossAS 7 ,   also have the same problem .