demba90 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

JSESSIONID is hard-coded in WAF files #174

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
Hard-coded references to JSESSIONID (instead of configurable session id name) 
are here: 
src/java/org.owasp.esapi.waf.configuration.ConfigurationParser:65
test/resources/.esapi/waf-policy.xml:34 

What is the expected output? What do you see instead?
expect configurable session id name based on HttpUtilities.HttpSessionIdName in 
ESAPI.properties file ... instead JSESSIONID is hard-coded

Original issue reported on code.google.com by jtmel...@gmail.com on 5 Nov 2010 at 3:29

GoogleCodeExporter commented 8 years ago
Set to milestone release 2.0

Original comment by jtmel...@gmail.com on 5 Nov 2010 at 3:30

GoogleCodeExporter commented 8 years ago

Original comment by manico.james@gmail.com on 5 Nov 2010 at 3:35

GoogleCodeExporter commented 8 years ago

Original comment by manico.james@gmail.com on 5 Nov 2010 at 3:35

GoogleCodeExporter commented 8 years ago
Fixed this with SVN revision 1729 in 
org.owasp.esapi.waf.configuration.ConfigurationParser by setting it to value 
returned by ESAPI.securityConfiguration().getHttpSessionIdName(). [Note: I left 
this as a 'private static final', initialized in a static initializer with 
appropriate try / catch block. This means if ESAPI.properties changes 
HttpUtilities.HttpSessionIdName and is reparsed, the same value will still be 
used. If this is not acceptable behavior, then re-open this issue or create a 
new one. Also, because the code was so simple, I did not write any new JUnit 
tests to test it.]

Finally, I am not sure what is expected to be done for 
'test/resources/esapi/waf-policy.xml' as it seems to require a hard-coded value.

Original comment by kevin.w.wall@gmail.com on 12 Feb 2011 at 8:29