Details

      Description

      Reproduce:

      • Login to any webapp
      • Take note of the session ID (Cookie JSESSIONID)
      • Logout
      • Login again

      Expected:

      • New session ID is different from the first session ID

      Observed:

      • Same session ID is used

      Hints:

      • The session cookie is set to expire at the end of the session. In most browsers this is when all browser windows are closed
      • The current behavior allows an user to steal another users session in a scenario where both users share the same computer and browser

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            michael.schoettes Michael Schoettes
            Reporter:
            sebastian.stamm Sebastian Stamm
          • Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development