Session Not Renewed After Entering the Credentials

(Doc ID 2402277.1)

Last updated on MAY 23, 2018

Applies to:

Oracle E-Business Suite Technology Stack - Version 12.1.3 and later
Information in this document applies to any platform.

Goal

Our security team mentioned the application doesn’t renew the session after entering the credentials, the application keeps the session cookie unchanged after the user enters his credentials.

The attacker can leverage this in a session fixation attack in case he finds a vulnerability that allows him to set the session cookie. Is it doable to renew the session cookie after the user enters his credentials?
 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms