We are using apache tomcat as a server for our Spring MVC based web application. If a user has been logged in from a browser let's say chrome, and we copied its JSESSIONID and pasted into another browser let's say Firefox, and then we are able to access the modules assigned to the particular user logged in from chrome to the one who is logged in from firefox.
How can we prevent such session hijacking by using spring security? or in general, which things we should code in order to get rid of session hijacking. Thanks!
I did this to make it secure and HttpOnly and it worked. Implementation Procedure in Apache Tomcat: 1) Open the httpd.conf file. Find the following line using CTRL + f in your text editor:
#LoadModule headers_module modules/mod_headers.so
2) Remove the #
3) Add following entry in httpd.conf
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
4) Restart Apache HTTP server