https://connect.hyland.com/t5/alfresco-forum/strange-behaviour-with-jsessionid-creating-session-fixation/m-p/42989#M17803 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>After adding an OOTB evaluator&nbsp;<STRONG>group.module.evaluator&nbsp;</STRONG>in my <A href="https://pastebin.com/fB6Y4BPr" rel="nofollow noopener noreferrer">extension module</A> for hiding <STRONG>Create Site</STRONG> option for non admin user, which BTW works fine, I can see that there is a change in the way JSESSIONID is created.</P><P></P><P>In normal standalone share project&nbsp;<SPAN>JSESSIONID is created when the user logs in and refreshes on every login but after adding the above evaluator I can see the&nbsp;<SPAN>JSESSIONID is getting created the moment I hit the login page and it stays there even after the login but refreshes on every logout.</SPAN></SPAN></P><P><SPAN></SPAN></P><P><SPAN><SPAN>I did some digging into the Alfresco code for the evaluator bean and found out that&nbsp;<STRONG>isMemberOfGroups&nbsp;</STRONG>method of the&nbsp;<STRONG>SlingshotEvaluatorUtil&nbsp;</STRONG>class called from the <STRONG>SlingshotGroupModuleEvaluator&nbsp;</STRONG>class&nbsp;creates a session for storing the&nbsp;GROUP membership in the session.</SPAN></SPAN></P><P><SPAN></SPAN></P><P><SPAN><SPAN>Now this behaviour&nbsp;creates a <A href="https://www.owasp.org/index.php/Session_fixation" rel="nofollow noopener noreferrer">Session Fixation</A> issue&nbsp;<SPAN style="color: #252525; background-color: #ffffff; font-size: 14px;">that permits an attacker to hijack a valid user session.</SPAN></SPAN></SPAN></P><P><SPAN></SPAN></P><P><SPAN><SPAN style="background-color: #ffffff; color: #252525; font-size: 14px;">Can anyone please suggest what can be done here ??</SPAN></SPAN></P><P><SPAN></SPAN></P><P><SPAN></SPAN></P><P><SPAN><SPAN style="background-color: #ffffff; color: #252525; font-size: 14px;">Thanks</SPAN></SPAN></P><P><SPAN><SPAN style="background-color: #ffffff; color: #252525; font-size: 14px;">Hiten Rastogi</SPAN></SPAN></P></BODY></HTML> Thu, 10 May 2018 10:21:58 GMT hiten_rastogi1 2018-05-10T10:21:58Z https://connect.hyland.com/t5/alfresco-forum/strange-behaviour-with-jsessionid-creating-session-fixation/m-p/42989#M17803 Hi,After adding an OOTB evaluator&nbsp;group.module.evaluator&nbsp;in my extension module for hiding Create Site option for non admin user, which BTW works fine, I can see that there is a change in the way JSESSIONID is created.In normal standalone share project&nbsp;JSESSIONID is created when the user logs in and Thu, 10 May 2018 10:21:58 GMT https://connect.hyland.com/t5/alfresco-forum/strange-behaviour-with-jsessionid-creating-session-fixation/m-p/42989#M17803 hiten_rastogi1 2018-05-10T10:21:58Z https://connect.hyland.com/t5/alfresco-forum/strange-behaviour-with-jsessionid-creating-session-fixation/m-p/42990#M17804 <HTML><HEAD></HEAD><BODY><P>Create an issue in the Alfresco JIRA and maybe even a pull request on the Alfresco Surf project to make the login controller always create a new session as part of the login (currently it only creates a new session if the old session contains a specific attribute to denote an already authenticated user).</P></BODY></HTML> Fri, 11 May 2018 08:24:53 GMT https://connect.hyland.com/t5/alfresco-forum/strange-behaviour-with-jsessionid-creating-session-fixation/m-p/42990#M17804 afaust 2018-05-11T08:24:53Z https://connect.hyland.com/t5/alfresco-forum/strange-behaviour-with-jsessionid-creating-session-fixation/m-p/42991#M17805 <HTML><HEAD></HEAD><BODY><P>Thanks Axel,</P><P></P><P>I have created an issue.&nbsp;</P><P></P><P><A class="link-titled" href="https://issues.alfresco.com/jira/browse/AIF-430" title="https://issues.alfresco.com/jira/browse/AIF-430" rel="nofollow noopener noreferrer">https://issues.alfresco.com/jira/browse/AIF-430</A>&nbsp;</P></BODY></HTML> Fri, 11 May 2018 08:40:27 GMT https://connect.hyland.com/t5/alfresco-forum/strange-behaviour-with-jsessionid-creating-session-fixation/m-p/42991#M17805 hiten_rastogi1 2018-05-11T08:40:27Z https://connect.hyland.com/t5/alfresco-forum/strange-behaviour-with-jsessionid-creating-session-fixation/m-p/42992#M17806 <HTML><HEAD></HEAD><BODY><P>NEVER create an issue in any project other then ALF unless you are absolutely sure it is the right one. The project you have chosen&nbsp;has nothing to do with Share...</P></BODY></HTML> Fri, 11 May 2018 15:25:49 GMT https://connect.hyland.com/t5/alfresco-forum/strange-behaviour-with-jsessionid-creating-session-fixation/m-p/42992#M17806 afaust 2018-05-11T15:25:49Z