The problem, as seen from LPP-6367:
session.enable.phishing.protection=false => session ID in step 2 is transmitted over HTTP and can be accessed by a MITM. In step 4 the sessionID is authenticated - no new session is created => attacker can now use it
My Question to Tomas:
Would setting the following:
protect the sessionID ?
session.enable.phishing.protection: it seems it's used only for login form authentication. That means the session is refreshed only during the form login. But AutoLoginFilter doesn't use the property, that means all SSO authentications we have are vulnerable. => No, it won't protect sessionId
Thus, we need enhancements to session.enable.phishing.protection to support this.