Avoid Session fixation and clearing ASP.net session id when logout
Application Type
Traditional Web

Hi All,

       We found Session fixation in our application by Pen test so we tried to avoid this by enabling Session fixation in factory configuration which is inbuild functionality by Outsystems. But when we repeating the pen test its showing the issue is unchanged.

     So we found the session token ID is not expiring even after the user logs out, when the same user login again new session ID appending with existing session ID, so we want to remove the session whenever the user logout or session is timeout.

Is there any solution for this in Outsystems?

Thanks in Advance.


Did you publish a solution after changing this in Factory Configuration? Usually it is not applied untill the apps are re-published.

Hi @Bas de Jong 

    Yes we did the republish after changing the factory configuration. Do you have any other suggestion?



Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.