You are viewing the documentation for Blueriq 13. Documentation for other versions is available in our documentation directory.
Session Fixation is an attack that permits an attacker to hijack a valid user session. For more information, visit https://owasp.org/www-community/attacks/Session_fixation.
In Blueriq, Session Fixation protection is implemented by changing the session ID to a new value whenever a login occurs for that session. We introduced a property to enable this protection:
blueriq.security.session-fixation-protection.enabled = true
The default value is false
.
When to enable
We advise to enable the session fixation protection, because it eliminates an attack vector. Therefore, we changed the default to true
for Blueriq 15.
Session fixation protection may for example break test cases that depend on a fixed session ID.
During our Runtime cluster tests, we noticed a problem in one of our failover test cases. Therefore, if you're using Redis for distributed session management, we do not recommend to enable session fixation protection.
Introduced in
The session fixation protection property is available in Blueriq 13 from Blueriq 13.13.18.