[jboss-user] [JBoss Seam] - Re: sessionId cookie: man-in-the-middle attack
avbentem
do-not-reply at jboss.com
Sun Jun 3 09:24:17 EDT 2007
"fguerzoni" wrote : forcing a pre-login session invalidation and a new session creation (request.getSession(true)) as soon as client authenticates. Old session data should then be copied to new session.
| In this case a new sessionId cookie will be sent to client: client will use this ticket during next requests.
I think the changes for this JBSEAM-1361 cover Gavin's proposal in this forum topic, but note that existing session data might not be preserved. The session is invalidated using Seam#invalidateSession(), and I think at that point any old session data is lost.
But: I'm not sure; comments welcome!
Arjan.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4050742#4050742
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4050742
More information about the jboss-user
mailing list