[undertow-dev] sessionId changes between requests?

Bill Burke bburke at redhat.com
Thu Jan 21 23:29:29 EST 2016


Maybe a decoupling of cookie from session ID isn't very feasible...I 
guess I can just turn off the "changeSessionIdOnLogin" switch and change 
the ID within the authenticator instead.

On 1/21/2016 10:28 PM, Stuart Douglas wrote:
> This was done for security reasons (see https://issues.jboss.org/browse/UNDERTOW-579).
>
> I don't know how practical it would be to de-couple the cookie value from the session ID. Could you just use a javax.servlet.http.HttpSessionIdListener to monitor session ID changes?
>
> Stuart
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: undertow-dev at lists.jboss.org
>> Sent: Friday, 22 January, 2016 11:44:53 AM
>> Subject: Re: [undertow-dev] sessionId changes between requests?
>>
>> Ok, found it.  setChangeSessionIdOnLogin()
>>
>> Can I ask why this is done?  Security reasons?  To change the cookie?
>> If it is to change the cookie, would be really good in the future to
>> decouple the session cookie value from the session id so that plugins,
>> like Keycloak, that are remotely managing and monitoring sessions can
>> still do so without creating a security hole.
>>
>> On 1/21/2016 6:10 PM, Bill Burke wrote:
>>> Does a HttpSession ID change between requests?  We are storing the
>>> current HttpSession ID at our IDP after login, then transmitting back to
>>> the app in a background HTTP request, looking up the session and then
>>> invalidating it. This used to work on Wildfly 8 and 9, in 10, looks like
>>> it is not the same http session.
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com



More information about the undertow-dev mailing list