demba90 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

jsessionid validator regex in esapi.properties not applicable to ids generated by tomcat #286

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
From http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html :

The length of session ids created by this Manager, measured in bytes, excluding 
subsequent conversion to a hexadecimal string and excluding any JVM route 
information used for load balancing. The default is 16.

The validator regex in Validator.HTTPJSESSIONID should be changed from

^[A-Z0-9]{10,30}$

to

^[A-Z0-9]{10,32}$

Original issue reported on code.google.com by Alex.x86@gmail.com on 3 Sep 2012 at 7:13