logo

CWE-6 - J2EE Misconfiguration: Insufficient Session-ID Length

CWE-6

  • Abstraction:
  • Variant
  • Structure:
  • Simple
  • Status:
  • Incomplete
Weakness Name

J2EE Misconfiguration: Insufficient Session-ID Length

Description

The J2EE application is configured to use an insufficient session ID length.

If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.

Common Consequences

Scope: Access Control

Impact: Gain Privileges or Assume Identity

Notes: If an attacker can guess an authenticated user's session identifier, they can take over the user's session.

Related Weaknesses
  • Release Date:
  • 2006-07-19
  • Latest Modification Date:
  • 2023-06-29

Free security scan for your website