Hello,
OWASP has compiled a "top 10" vulnerablilities for web applications.
One suggestion against session hijacking was the following: Start a new HTTP-Session after
a successful login:
"Consider regenerating a new session upon successful authentication or privilege
level change."
http://www.owasp.org/index.php/Top_10_2007-A7
Does anybody have a suggestion how to implement this with seam?
Are there any votes for a change request?
I have thought of invalidating the current HTTP session, creating a new one and copying
all elements from the old session to the new session. But Seam 2.0.0 doesn't allow
this:
When I use the lowlevel functions this is blocked by IllegalStateException("Please
end the HttpSession via Seam.invalidateSession()") in Lifecyle
When I use Seam.invalidateSession(), the session is only destroyed at the end of the
request and I am unable to copy any objects.
Thanks, Alexander.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4116276#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...