Re: [undertow-dev] sessionId changes between requests?

This was done for security reasons (see https://issues.jboss.org/browse/UNDERTOW-579). I don't know how practical it would be to de-couple the cookie value from the session ID. Could you just use a javax.servlet.http.HttpSessionIdListener to monitor session ID changes? Stuart ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: undertow-dev(a)lists.jboss.org > Sent: Friday, 22 January, 2016 11:44:53 AM > Subject: Re: [undertow-dev] sessionId changes between requests? > > Ok, found it. setChangeSessionIdOnLogin() > > Can I ask why this is done? Security reasons? To change the cookie? > If it is to change the cookie, would be really good in the future to > decouple the session cookie value from the session id so that plugins, > like Keycloak, that are remotely managing and monitoring sessions can > still do so without creating a security hole. > > On 1/21/2016 6:10 PM, Bill Burke wrote: >> Does a HttpSession ID change between requests? We are storing the >> current HttpSession ID at our IDP after login, then transmitting back to >> the app in a background HTTP request, looking up the session and then >> invalidating it. This used to work on Wildfly 8 and 9, in 10, looks like >> it is not the same http session. >> > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > undertow-dev mailing list > undertow-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/undertow-dev >