You are viewing the documentation for Blueriq 15. Documentation for other versions is available in our documentation directory.
Session Fixation is an attack that permits an attacker to hijack a valid user session. For more information, visit https://owasp.org/www-community/attacks/Session_fixation.
In Blueriq, Session Fixation protection is implemented by changing the session ID to a new value whenever a login occurs for that session. We introduced a property to enable this protection:
blueriq.security.session-fixation-protection.enabled = true
In Blueriq 15 and higher, the default value is true
. In older versions, the default value is false
.
When to enable
We advise to enable the session fixation protection, because it eliminates an attack vector. Therefore, we changed the default to true
for Blueriq 15.
Session fixation protection may for example break test cases that depend on a fixed session ID.
During our Runtime cluster tests, we noticed a problem in one of our failover test cases. Therefore, if you're using Redis for distributed session management, we do not recommend to enable session fixation protection.
Introduced in
The session fixation protection property is available from Blueriq 14.11 and onwards. We backported the property to 13.13.18, and 12.13.39.