By: Joey Cataplush user 01 Dec 2021 at 11:49 p.m. CST

2 Responses
Joey Cataplush gravatar
Hi Mike, Bob, Zico, Mohammed, et al. Long time gluu fan/implementer here. (since the 2.x days ;-) ) I remember 2 or 3 years ago there was an update to gluu (circa 4.1 or pre 4.1 iirc) where when a user authenticated a session, the actual sessionID that was authenticated was new (meaning different than the sessionID returned upon the first visit to the OP). I recall either seeing a support ticket, or release notes linked to a github issue describing the "why" in further details. I've searched for a while and cannot find the reference. I know it was a security related feature but don't recall the organizing spec/group reccomending that change. If you know the ticket/github issue I'm referring to, could you please post it here? Thanks!

By Yuriy Zabrovarnyy staff 02 Dec 2021 at 1:23 a.m. CST

Yuriy Zabrovarnyy gravatar
Ticket is here https://github.com/GluuFederation/oxAuth/issues/1242 Behavior can be on/off depending on configuration property (`changeSessionIdOnAuthentication: true`). BR, Yuriy

By Joey Cataplush user 02 Dec 2021 at 11:25 a.m. CST

Joey Cataplush gravatar
Thanks Yuri!