Session Not Renewed After Entering the Credentials
Last updated on MAY 23, 2018
Applies to:Oracle E-Business Suite Technology Stack - Version 12.1.3 and later
Information in this document applies to any platform.
Our security team mentioned the application doesn’t renew the session after entering the credentials, the application keeps the session cookie unchanged after the user enters his credentials.
The attacker can leverage this in a session fixation attack in case he finds a vulnerability that allows him to set the session cookie. Is it doable to renew the session cookie after the user enters his credentials?
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms