[undertow-dev] sessionId changes between requests?
Stuart Douglas
sdouglas at redhat.com
Thu Jan 21 22:28:19 EST 2016
This was done for security reasons (see https://issues.jboss.org/browse/UNDERTOW-579).
I don't know how practical it would be to de-couple the cookie value from the session ID. Could you just use a javax.servlet.http.HttpSessionIdListener to monitor session ID changes?
Stuart
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: undertow-dev at lists.jboss.org
> Sent: Friday, 22 January, 2016 11:44:53 AM
> Subject: Re: [undertow-dev] sessionId changes between requests?
>
> Ok, found it. setChangeSessionIdOnLogin()
>
> Can I ask why this is done? Security reasons? To change the cookie?
> If it is to change the cookie, would be really good in the future to
> decouple the session cookie value from the session id so that plugins,
> like Keycloak, that are remotely managing and monitoring sessions can
> still do so without creating a security hole.
>
> On 1/21/2016 6:10 PM, Bill Burke wrote:
> > Does a HttpSession ID change between requests? We are storing the
> > current HttpSession ID at our IDP after login, then transmitting back to
> > the app in a background HTTP request, looking up the session and then
> > invalidating it. This used to work on Wildfly 8 and 9, in 10, looks like
> > it is not the same http session.
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
More information about the undertow-dev
mailing list