My Oracle Support Banner

Session Not Renewed After Entering the Credentials (Doc ID 2402277.1)

Last updated on MAY 23, 2018

Applies to:

Oracle E-Business Suite Technology Stack - Version 12.1.3 and later
Information in this document applies to any platform.

Goal

Our security team mentioned the application doesn’t renew the session after entering the credentials, the application keeps the session cookie unchanged after the user enters his credentials.

The attacker can leverage this in a session fixation attack in case he finds a vulnerability that allows him to set the session cookie. Is it doable to renew the session cookie after the user enters his credentials?
 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.