Appsec recommendation is jsession id should change post login. Currently JSESSIONID is same before and after login. It is due to jmix is refreshing session id post the logout.
Any way or configuration to make this changes.
Description :
Session Fixation is an attack that allows an attacker to hijack a valid user session. The attack
explores a limitation in the way the web application manages the session ID, more specifically the
vulnerable web application.
Risk :
Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack
explores a limitation in the way the web application manages the session ID, more specifically the
vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making
it possible to use an existent session ID. The attack consists of inducing a user to authenticate
himself with a known session ID, and then hijacking the user-validated session by the knowledge of
the used session ID.