[jboss-user] [JBoss Seam] - OWASP / New Session after Login

ahus1 do-not-reply at jboss.com
Tue Jan 1 17:28:03 EST 2008


Hello,

OWASP has compiled a "top 10" vulnerablilities for web applications. 

One suggestion against session hijacking was the following: Start a new HTTP-Session after a successful login:

"Consider regenerating a new session upon successful authentication or privilege level change."

http://www.owasp.org/index.php/Top_10_2007-A7

Does anybody have a suggestion how to implement this with seam? 

Are there any votes for a change request?

I have thought of invalidating the current HTTP session, creating a new one and copying all elements from the old session to the new session. But Seam 2.0.0 doesn't allow this:

When I use the lowlevel functions this is blocked by  IllegalStateException("Please end the HttpSession via Seam.invalidateSession()") in Lifecyle

When I use Seam.invalidateSession(), the session is only destroyed at the end of the request and I am unable to copy any objects.

Thanks, Alexander.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4116276#4116276

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4116276



More information about the jboss-user mailing list