[jboss-user] *Repost* Session fixation / getSession(true) does not createnew SessionID

Ludwig Adam ladam at petafuel.de
Fri May 18 15:33:06 EDT 2007 

Hi,
reposting this issue, please direct me to the right group if I am wrong here :-)
Can anyone help on the issue below?

Thanks,
Ludwig


-----Ursprüngliche Nachricht-----
Von: jboss-user-bounces at lists.jboss.org [mailto:jboss-user-bounces at lists.jboss.org] Im Auftrag von Ludwig Adam
Gesendet: Mittwoch, 16. Mai 2007 18:29
An: jboss-user at lists.jboss.org
Betreff: *SPAM* [jboss-user] Session fixation / getSession(true) does not createnew SessionID

Hi group,
we are currently looking for ways to improve the security in our web
applications to prevent session fixation.
We are looking for ways to generate a new session ID after an user has
been authenticated.

This is our scenario:

- The webapplication contains public and private content
- public content is available by http, private/restricted content is
only available by https
- If the user is logging in, communication is done only by https

We now want to generate a new session ID for the user session once he
has authenticated in order to prevent session fixation / session
hijacking (e.g. if chuck sniffes the http - communication / user doesn't
use cookies and publishes a link with ;jsessionid-parameter).

The solutions found so far suggested all a
HttpServletRequest.getSession(true) after an invalidation:

if (session.isNew()) {
   session.invalidate(); // Invalidate old Session
   session= request.getSession(true); // Create new Session ID
}

However running this code on JBoss does not show the expected
beheaviour, no new session id is created.

System.out.println(session.getID()); // Prints "Foo"
session.invalidate(); // Invalidate old Session
session= request.getSession(true); // Should create new SessionID
System.out.println(session.getID()); // Prints "Foo" again.

Any hints how we can work around this issue or what we are doing wrong
here are greatly appreciated.

Thanks,
Ludwig

_______________________________________________
jboss-user mailing list
jboss-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

More information about the jboss-user mailing list