CWE-6 - J2EE Misconfiguration: Insufficient Session-ID Length
- Abstraction:Variant
- Structure:Simple
- Status:Incomplete
- Release Date:2006-07-19
- Latest Modification Date:2023-06-29
Weakness Name
J2EE Misconfiguration: Insufficient Session-ID Length
Description
The J2EE application is configured to use an insufficient session ID length.
If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.
Common Consequences
Scope: Access Control
Impact: Gain Privileges or Assume Identity
Notes: If an attacker can guess an authenticated user's session identifier, they can take over the user's session.