[jboss-user] [JBoss Seam] - Re: OWASP / New Session after Login
ahus1
do-not-reply at jboss.com
Sat Jan 5 15:54:13 EST 2008
I found the following workaround to assure that there is a new session after a login: by destroying the original session before the login using a small filter.
This is only a workaround as it destroys the previous session completly -- anything i.e. in a shopping basket will be lost (as my application doesn't have a shopping basket this is not a problem for me).
A "nice" implementation in seam shouldn't have this limitation.
I will open a ticket shortly.
Alexander.
The Java Class:
| /**
| * This filter enforces a new session whenever there is a POST, should be mapped
| * to the URL of the login page in your web.xml
| * @author Alexander Schwartz 2007
| */
| public class NewSessionFilter implements Filter {
| private Log log = LogFactory.getLog(NewSessionFilter.class);
|
| private String url;
|
| public void destroy() {
| // empty.
| }
|
| public void doFilter(ServletRequest request, ServletResponse response,
| FilterChain chain) throws IOException, ServletException {
| if (request instanceof HttpServletRequest) {
| HttpServletRequest httpRequest = (HttpServletRequest) request;
| if (httpRequest.getMethod().equals("POST")
| && httpRequest.getSession() != null
| && !httpRequest.getSession().isNew()
| && httpRequest.getRequestURI().endsWith(url)) {
| httpRequest.getSession().invalidate();
| httpRequest.getSession(true);
| log.info("new Session:" + httpRequest.getSession().getId());
| }
| }
| chain.doFilter(request, response);
| }
|
| public void init(FilterConfig filterConfig) throws ServletException {
| url = filterConfig.getInitParameter("url");
| if (url == null) {
| throw new ServletException(
| "please specify parameter 'url' with login URL");
| }
| }
|
| }
|
The web.xml:
| <filter>
| <display-name>NewSessionFilter</display-name>
| <filter-name>NewSessionFilter</filter-name>
| <filter-class>
| NewSessionFilter
| </filter-class>
| <init-param>
| <param-name>url</param-name>
| <param-value>/iss/login.jsf</param-value>
| </init-param>
| </filter>
| <filter-mapping>
| <filter-name>NewSessionFilter</filter-name>
| <servlet-name>Faces Servlet</servlet-name>
| <url-pattern>/iss/login.jsf</url-pattern>
| <dispatcher>REQUEST</dispatcher>
| </filter-mapping>
|
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4117335#4117335
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4117335
More information about the jboss-user
mailing list