5 Replies Latest reply on Mar 11, 2011 4:23 AM by ivajloip

    Servlet container did not change the session ID

    ivajloip

      Hi!

       

      I'm new with Jboss Web. I'm running JBoss Web 2.1.9.GA and I use spring security. Some time ago I noticed this warning message:

      WARN SessionFixationProtectionStrategy:95 - Your servlet container did not change the session ID when a new session was created. You will not be adequately protected against session-fixation attacks

      I tried to search for it, but still I couldn't find anything that would fix the problem. Can someone tell me what might cause this warining to appear. Is it a configuration issue, is it something else. If you need some of the configuration files to diagose this, please tell me which.

       

      Any help will be greatly appreciated.

      Ivaylo Petrov