0 Replies Latest reply on May 15, 2018 5:29 AM by sudheerreddy55

    Change of JSessionId after login-Session Fixation

    sudheerreddy55

      Hi ,

      We are using JBOSS EAP 6.4.0 GA version ,

      We have a security constraint like our application is not changing JSessionId after successful login.

      The Session Id is same before and after login .

      I tried couple of solutions/combinations like below but didn't work out.

      Added below value  in  Standalone.xml

      <system-properties>

              <property name="org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH" value="true"/>

              <property name="org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR" value="false"/>

          </system-properties>

      We are using Oracle Ecommerce(ATG) as our framework which is deployed in JBOSS.

       

      Kindly  provide suggestions to resolve this  session fixation problems.