CWE-6 - J2EE Misconfiguration: Insufficient Session-ID Length
CWE-6
- Abstraction:
- Variant
- Structure:
- Simple
- Status:
- Incomplete
- Weakness Name
J2EE Misconfiguration: Insufficient Session-ID Length
- Description
The J2EE application is configured to use an insufficient session ID length.
If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.
- Common Consequences
Scope: Access Control
Impact: Gain Privileges or Assume Identity
Notes: If an attacker can guess an authenticated user's session identifier, they can take over the user's session.
- Related Weaknesses
- Release Date:
- 2006-07-19
- Latest Modification Date:
- 2023-06-29
Free security scan for your website