Hi all The the Session-ID Fixation paper available from http://www.acros.si/papers/session_fixation.pdf mentions that JRun accepts abritrary Session-ID's and create new sessions with the proposed Session-ID. This means that it is possible to send the following URL http://foo/bar?jsessionid=foo123 and the JRun server will accept and use the proposed Session-ID (foo123). Furthermore the server will set a cookie in users browser with the proposed Session-ID! Using this technique, it is much easier to exploit this kind of attack and to enter in other's web application sessions. Is anybody aware of a vendor patch or another workaround? Is it possible to enforce the server to create a new Session-ID? Thanks a lot Christoph
