Axon.ivy 7.0 - the Digital Business Platform - is out now...

Hi everyone, as far as I can find, every time user logs in with IVY Portal, the session is kept (not renewed). You can check this via JSESSIONID. Thus, it leads to session fixation attack.
May Axon.ivy provide a mechanism to prevent this kind of attack? I am using Axon.ivy 6.3.0.
Thank you.

asked 03.01 at 04:25

Bao%20Tran's gravatar image

Bao Tran
517
accept rate: 0%

edited 03.01 at 04:26


Hi

This is a known issue. See https://jira.axonivy.com/jira/browse/XIVY-349 Unfortunately, we cannot fix this issue without breaking RIA applications. However, we plan to drop RIA support in Axon.ivy 8. After that we can fix this issue.

Regards Reto Weiss, Axon.ivy Support

link

answered 04.01 at 04:20

Reto%20Weiss's gravatar image

Reto Weiss ♦♦
3.9k172148
accept rate: 74%

Thank you for your answer. This means that there is nothing we can do now?

(04.01 at 04:37) Bao Tran Bao%20Tran's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×75
×64
×12

Asked: 03.01 at 04:25

Seen: 57 times

Last updated: 04.01 at 04:37