14 Replies Latest reply on Jun 3, 2007 1:48 PM by Arjan van Bentem

    sessionId cookie: man-in-the-middle attack

    Filippo Newbie

      I noticed that sessionId cookie sent to client before authentication remains the same even after login succedeed. This could lead to a man-in-the-middle attack because pre-login sessionId could be easily sniffed.

      So, it would be very nice if it should be possible to do a session switching on server side forcing a pre-login session invalidation and a new session creation (request.getSession(true)) as soon as client authenticates. Old session data should then be copied to new session.
      In this case a new sessionId cookie will be sent to client: client will use this ticket during next requests.

      This mechanism collides with the actual Seam implementations where Lifecycle.endSession is called after a session.invalidate
      I think that Seam should automatically execute this task during the authentication phase.