Assignment of JSESSIONIDs

XMLWordPrintable

    • Type: Suggestion
    • Resolution: Won't Fix
    • Component/s: None
    • Environment:
      Windows Server 2003 using SQL 2005 databases

      NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion.

      I believe it should be a feature in future versions of Confluence to assign a different JSESSIONID to the user's session once they have authenticated and logged in to the site. This is to differentiate between a user's session before they have logged in and after they have authenticated and have a valid authenticated session on the server. At the moment the JSESSIONID value is the same for when a user first navigates to the site and after they have authenticated. There is a small chance that a hacker etc. could spoof a user's session and masquerade as them on the site once the user has authenticated.

      We recently had a penetration test performed on our Confluence installation and this was raised as an issue, however small.

      Matt

              Assignee:
              Unassigned
              Reporter:
              Matt Stilliard
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: