My Oracle Support Banner

Need Patch For Fixing Issue With "Broken Session & Session Management" (Doc ID 2547599.1)

Last updated on NOVEMBER 29, 2019

Applies to:

Oracle Commerce Platform - Version 11.1 and later
Information in this document applies to any platform.


On : 11.1 version, Application Framework (Repositories, APIs, Core Services)

Need patch for fixing issue with "Broken Session & Session Management"

In the case where an attacker was able to successfully log into a user's account, even if the password was changed by the actual user, the attacker would continue to have access to a user's account until the session expired.

To replicate, use two browsers:

Browser 1: Sign into valid account, capture JSESSIONID

Browser 2: Sign into same account, observe the different JSESSIONID used

Browser 2: Go to profile and change password

Browser 1: Even though password has changed, user continues to have access to the account information and is able to browse as a signed-in user, though the account password has changed.

We want to know if there is any patch (either in Oracle commerce or weblogic) available to invalidate all existing user sessions across app server cluster once password is changed.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.