...
In the above solution, we have switched from a cookie to a session to store user information. Additionally, the current session is invalidated and a new session is created in order to avoid session fixation attacks as noted by The Open Web Application Security Project (OWASP 2009). The timeout of the session has also been set to two hours to minimize the chance that an attacker can perform session hijacking attacks.
...
| Wiki Markup |
|---|
\[OWASP 2009\] [{{Session Fixation in Java}}|http://www.owasp.org/index.php/Session_Fixation_in_Java]
\[Oracle 2010\] [{{javax.servlet.http Package API}}|http://download.oracle.com/javaee/6/api/javax/servlet/http/package-summary.html] |