[jboss-user] [JBoss Seam] - Re: OWASP / New Session after Login

ahus1 do-not-reply at jboss.com
Sat Jan 5 15:54:13 EST 2008 

I found the following workaround to assure that there is a new session after a login: by destroying the original session before the login using a small filter. 

This is only a workaround as it destroys the previous session completly -- anything i.e. in a shopping basket will be lost (as my application doesn't have a shopping basket this is not a problem for me). 

A "nice" implementation in seam shouldn't have this limitation. 

I will open a ticket shortly.

Alexander. 

The Java Class:


  | /**
  |  * This filter enforces a new session whenever there is a POST, should be mapped
  |  * to the URL of the login page in your web.xml
  |  * @author Alexander Schwartz 2007
  |  */
  | public class NewSessionFilter implements Filter {
  |   private Log log = LogFactory.getLog(NewSessionFilter.class);
  |   
  |   private String url;
  |   
  |   public void destroy() {
  |     // empty.
  |   }
  |   
  |   public void doFilter(ServletRequest request, ServletResponse response,
  |       FilterChain chain) throws IOException, ServletException {
  |     if (request instanceof HttpServletRequest) {
  |       HttpServletRequest httpRequest = (HttpServletRequest) request;
  |       if (httpRequest.getMethod().equals("POST")
  |           && httpRequest.getSession() != null
  |           && !httpRequest.getSession().isNew()
  |           && httpRequest.getRequestURI().endsWith(url)) {
  |         httpRequest.getSession().invalidate();
  |         httpRequest.getSession(true);
  |         log.info("new Session:" + httpRequest.getSession().getId());
  |       }
  |     }
  |     chain.doFilter(request, response);
  |   }
  |   
  |   public void init(FilterConfig filterConfig) throws ServletException {
  |     url = filterConfig.getInitParameter("url");
  |     if (url == null) {
  |       throw new ServletException(
  |           "please specify parameter 'url' with login URL");
  |     }
  |   }
  |   
  | }
  | 

The web.xml:


  | 	<filter>
  | 		<display-name>NewSessionFilter</display-name>
  | 		<filter-name>NewSessionFilter</filter-name>
  | 		<filter-class>
  | 			NewSessionFilter
  | 		</filter-class>
  | 		<init-param>
  | 			<param-name>url</param-name>
  | 			<param-value>/iss/login.jsf</param-value>
  | 		</init-param>
  | 	</filter>
  | 	<filter-mapping>
  | 		<filter-name>NewSessionFilter</filter-name>
  | 		<servlet-name>Faces Servlet</servlet-name>
  | 		<url-pattern>/iss/login.jsf</url-pattern>
  | 		<dispatcher>REQUEST</dispatcher>
  | 	</filter-mapping>
  | 

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4117335#4117335

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4117335

More information about the jboss-user mailing list