Session Not Renewed After Entering the Credentials
(Doc ID 2402277.1)
Last updated on MAY 23, 2018
Applies to:Oracle E-Business Suite Technology Stack - Version 12.1.3 and later
Information in this document applies to any platform.
Our security team mentioned the application doesn’t renew the session after entering the credentials, the application keeps the session cookie unchanged after the user enters his credentials.
The attacker can leverage this in a session fixation attack in case he finds a vulnerability that allows him to set the session cookie. Is it doable to renew the session cookie after the user enters his credentials?
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!