Currently i have one vaadin application that i use to authenticate and remains the same after authentication .
To prevent "
session fixation " attacks, after a sucessfuly login, i need a way to transfer the authenticated vaadin application to a new HttpSession or alternatively close de first application and creates a new vaadin application with the same authentication in a new HttpSession.
I saw the ticket #6094 that reports this problem, but still has no solution.
Anyone have a good idea or a solution to solve this problem?
I have an application in production that urgently needs this security recomendation solved, any help will be very grateful.
if you want to sponsor our Vaadin development, please let me know and we can have our R&D look into it asap. This, as any other feature sponsoring requests, will most easily be handled through our Vaadin Pro Account (http://vaadin.com/pro-account).
In a “normal” environment you get a session on the very first request you make to a website.
That same session/cookie is then used when you login and do more privilegated operations.
And this is the security issue.
Normally you should use one cookie/session for non-authenticated user,
and after sucessfull login you assign him a new session/cookie.
The same is also when you access a website via http:// and then (after login)
switch to https:// but still “accept” the session/cookie from the http:// connection.
There are other variants of this, see in the wikipedia entry.
And it is definitively a potential security issue…
Certainly, it’s a potential security breach as it may happen sith any other http app.
I’m currently testing Dontpush addon. Initial session is created through http, but next conversation ins made through websocket connection. I haven’t got it work because a NPE, but probably that maybe a workaround, because if no http is involved, no session cookie is needed.
