[jboss-user] [JBoss Seam] - OWASP / New Session after Login
ahus1
do-not-reply at jboss.com
Tue Jan 1 17:28:03 EST 2008
Hello,
OWASP has compiled a "top 10" vulnerablilities for web applications.
One suggestion against session hijacking was the following: Start a new HTTP-Session after a successful login:
"Consider regenerating a new session upon successful authentication or privilege level change."
http://www.owasp.org/index.php/Top_10_2007-A7
Does anybody have a suggestion how to implement this with seam?
Are there any votes for a change request?
I have thought of invalidating the current HTTP session, creating a new one and copying all elements from the old session to the new session. But Seam 2.0.0 doesn't allow this:
When I use the lowlevel functions this is blocked by IllegalStateException("Please end the HttpSession via Seam.invalidateSession()") in Lifecyle
When I use Seam.invalidateSession(), the session is only destroyed at the end of the request and I am unable to copy any objects.
Thanks, Alexander.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4116276#4116276
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4116276
More information about the jboss-user
mailing list