Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    [bogus] Session Fixation bug reported by Veracode

    Following is the issue when the security audit was run over the source code on Smart GWT3.0 version.

    Session Fixation
    Recommendations
    Invalidate any existing session after the user has authenticated but before calling methods that establish the UserPrincipal. Also, invalidate the session object when a user logs out, otherwise the session will remain valid on the server
    com/.../velocity/Velocity.java 367

    Can we have resolution for this soon please?

    #2
    This appears to be a bogus report.

    In general, security scanning tools produce a lot of bogus reports, because among other things they will scan methods that are not accessible from end user UI as though they were publicly accessible (this includes developer tools, code for command-line use, test code, etc).

    If you believe you've found a security vulnerability you should submit a test case showing how the code could be exploited.

    Comment

    Working...
    X