Oracle Weblogic Server (MOSC)

MOSC Banner

How to disable Disable jsessionid

edited Oct 4, 2010 9:06PM in Oracle Weblogic Server (MOSC) 3 commentsAnswered
Good day all, The following vulnerability was found and I would like to look into disabling jsessionid. Any idea of the best way to disable jsessionid to satisfy the below? Any help will be very much appreciated.

The cookie named JSESSIONID appears to be used to track session state. If so, it also appears to be vulnerable to session fixation. When the URL was supplied, the response set the cookie to the same value provided in the URL. It does not appear to be possible to set the cookie to arbitrary values. This means that the attacker must first identify a valid session ID before fixating the victim on it. One form of session fixation is when an arbitrary session ID can be set from an HTTP query parameter. If an attacker can get the user to execute the query (perhaps by clicking on a link), the session can be easily hijacked since

Howdy, Stranger!

Log In

To view full details, sign in to My Oracle Support Community.

Register

Don't have a My Oracle Support Community account? Click here to get started.

Category Leaderboard

Top contributors this month

Instructions for posting

×

1. Select a discussion category from the picklist.


2. Enter a title that clearly identifies the subject of your question.


3. In the body, insert detailed information, including Oracle product and version.


Please abide by the Oracle Community guidelines and refrain from posting any customer or personally identifiable information (PI/CI).


Cloud / Fusion customers - Our Cloud community has moved! Please go to Cloud Customer Connect .


New to My Oracle Support Community? Visit our Welcome Center

MOSC Help Center