Last updated on JULY 01, 2016
Applies to:Oracle Communications Converged Application Server - Version 4.0.0 and later
Information in this document applies to any platform.
Oracle WebLogic servlet session cookie can be fixated via HTTP POST request. This type of session fixation attack has been confirmed with different session descriptor elements. In particular, the attack has also been confirmed with the session descriptor element <url-rewriting-enabled> set to “False”. Such setting prevents session fixation attack via HTTP GET request but fails to mitigate session fixation attacks performed over HTTP POST.
Is there a fix for Session Fixation Via HTTP POST Request (CVE-2010-4437)?
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms