Details
Description
Reproduce:
- Login to any webapp
- Take note of the session ID (Cookie JSESSIONID)
- Logout
- Login again
Expected:
- New session ID is different from the first session ID
Observed:
- Same session ID is used
Hints:
- The session cookie is set to expire at the end of the session. In most browsers this is when all browser windows are closed
- The current behavior allows an user to steal another users session in a scenario where both users share the same computer and browser