5 Replies Latest reply: Mar 11, 2011 4:23 AM by Ivaylo Petrov RSS

Servlet container did not change the session ID

Ivaylo Petrov Newbie

Hi!

 

I'm new with Jboss Web. I'm running JBoss Web 2.1.9.GA and I use spring security. Some time ago I noticed this warning message:

WARN SessionFixationProtectionStrategy:95 - Your servlet container did not change the session ID when a new session was created. You will not be adequately protected against session-fixation attacks

I tried to search for it, but still I couldn't find anything that would fix the problem. Can someone tell me what might cause this warining to appear. Is it a configuration issue, is it something else. If you need some of the configuration files to diagose this, please tell me which.

 

Any help will be greatly appreciated.

Ivaylo Petrov