My Oracle Support Banner

How To Apply Patch For Session Fixation Via HTTP POST Request (Doc ID 1504970.1)

Last updated on DECEMBER 04, 2019

Applies to:

Oracle Communications Converged Application Server - Version 4.0.0 and later
Information in this document applies to any platform.


Oracle WebLogic servlet session cookie can be fixated via HTTP POST request. This type of session fixation attack has been confirmed with different session descriptor elements. In particular, the attack has also been confirmed with the session descriptor element <url-rewriting-enabled> set to “False”. Such setting prevents session fixation attack via HTTP GET request but fails to mitigate session fixation attacks performed over HTTP POST.

Is there a fix for Session Fixation Via HTTP POST Request (CVE-2010-4437)?


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.