[jboss-user] [Security & JAAS/JBoss] - Session fixation problem

[ladam]

Hi group,
i have already posted this to jboss-user ml with no success so I hope I don't get slapped for crossposting...

We are currently looking for ways to improve the security in our web applications to prevent session fixation.
We are looking for ways to generate a new session ID after an user has been authenticated.

This is our scenario:

- The webapplication contains public and private content
- public content is available by http, private/restricted content is only available by https
- If the user is logging in, communication is done only by https

We now want to generate a new session ID for the user session once he has authenticated in order to prevent session fixation / session hijacking (e.g. if chuck sniffes the http - communication / user doesn't use cookies and publishes a link with ;jsessionid-parameter).

The solutions found so far suggested all a
HttpServletRequest.getSession(true) after an invalidation:

if (!session.isNew()) {
  |    session.invalidate(); // Invalidate old Session
  |    session= request.getSession(true); // Create new Session ID }

However running this code on JBoss does not show the expected behaviour, no new session id is created.


  | System.out.println(session.getID()); // Prints "Foo"
  | session.invalidate(); // Invalidate old 
  | HttpSession session= request.getSession(true); // Should create new SessionID 
  | System.out.println(session.getID()); // Prints "Foo" again.

Any hints how we can work around this issue or what we are doing wrong here are greatly appreciated.

Thanks,
Ludwig


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4047164#4047164

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4047164