A little background: We use a tool called Fortify Static Code Analyzer . It has reported a (false positive) finding of "session fixation" for the below file.
- Code: Select all
\automation\automation-vaadin-war\src\main\webapp\login.jsp
The finding reports that "Authenticating a user without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions."
I tested this myself and confirmed that the session is indeed invalided upon login, i.e. a new JSESSIONID value is given upon login. I explained this to the fortify team, but they insist that I show them where it happens in the code. Since the Fortify finding is in the LSPS project code, was hoping you guys could help.
So, my question: where in LSPS code does the session get invalidated on the LSPS Console login? If possible, please give file name(s) and line number(s).
Much appreciated,
Zachary