5:10 p.m.
Does a HttpSession ID change between requests? We are storing the
current HttpSession ID at our IDP after login, then transmitting back to
the app in a background HTTP request, looking up the session and then
invalidating it. This used to work on Wildfly 8 and 9, in 10, looks like
it is not the same http session.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
6:44 p.m.
Ok, found it. setChangeSessionIdOnLogin()
Can I ask why this is done? Security reasons? To change the cookie?
If it is to change the cookie, would be really good in the future to
decouple the session cookie value from the session id so that plugins,
like Keycloak, that are remotely managing and monitoring sessions can
still do so without creating a security hole.
On 1/21/2016 6:10 PM, Bill Burke wrote:
Does a HttpSession ID change between requests? We are storing the
current HttpSession ID at our IDP after login, then transmitting back to
the app in a background HTTP request, looking up the session and then
invalidating it. This used to work on Wildfly 8 and 9, in 10, looks like
it is not the same http session.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:28 p.m.
This was done for security reasons (see https://issues.jboss.org/browse/UNDERTOW-579).
I don't know how practical it would be to de-couple the cookie value from the session
ID. Could you just use a javax.servlet.http.HttpSessionIdListener to monitor session ID
changes?
Stuart
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: undertow-dev(a)lists.jboss.org
Sent: Friday, 22 January, 2016 11:44:53 AM
Subject: Re: [undertow-dev] sessionId changes between requests?
Ok, found it. setChangeSessionIdOnLogin()
Can I ask why this is done? Security reasons? To change the cookie?
If it is to change the cookie, would be really good in the future to
decouple the session cookie value from the session id so that plugins,
like Keycloak, that are remotely managing and monitoring sessions can
still do so without creating a security hole.
On 1/21/2016 6:10 PM, Bill Burke wrote:
> Does a HttpSession ID change between requests? We are storing the
> current HttpSession ID at our IDP after login, then transmitting back to
> the app in a background HTTP request, looking up the session and then
> invalidating it. This used to work on Wildfly 8 and 9, in 10, looks like
> it is not the same http session.
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev
10:29 p.m.
Maybe a decoupling of cookie from session ID isn't very feasible...I
guess I can just turn off the "changeSessionIdOnLogin" switch and change
the ID within the authenticator instead.
On 1/21/2016 10:28 PM, Stuart Douglas wrote:
This was done for security reasons (see
https://issues.jboss.org/browse/UNDERTOW-579).
I don't know how practical it would be to de-couple the cookie value from the session
ID. Could you just use a javax.servlet.http.HttpSessionIdListener to monitor session ID
changes?
Stuart
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: undertow-dev(a)lists.jboss.org
> Sent: Friday, 22 January, 2016 11:44:53 AM
> Subject: Re: [undertow-dev] sessionId changes between requests?
>
> Ok, found it. setChangeSessionIdOnLogin()
>
> Can I ask why this is done? Security reasons? To change the cookie?
> If it is to change the cookie, would be really good in the future to
> decouple the session cookie value from the session id so that plugins,
> like Keycloak, that are remotely managing and monitoring sessions can
> still do so without creating a security hole.
>
> On 1/21/2016 6:10 PM, Bill Burke wrote:
>> Does a HttpSession ID change between requests? We are storing the
>> current HttpSession ID at our IDP after login, then transmitting back to
>> the app in a background HTTP request, looking up the session and then
>> invalidating it. This used to work on Wildfly 8 and 9, in 10, looks like
>> it is not the same http session.
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11:14 p.m.
Something to be aware of is that in Servlet 3.1 users can also trigger this change by
calling javax.servlet.http.HttpServletRequest.changeSessionId().
Not sure if that will also cause issues for you or not.
Stuart
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stuart Douglas" <sdouglas(a)redhat.com>
Cc: undertow-dev(a)lists.jboss.org
Sent: Friday, 22 January, 2016 3:29:29 PM
Subject: Re: [undertow-dev] sessionId changes between requests?
Maybe a decoupling of cookie from session ID isn't very feasible...I
guess I can just turn off the "changeSessionIdOnLogin" switch and change
the ID within the authenticator instead.
On 1/21/2016 10:28 PM, Stuart Douglas wrote:
> This was done for security reasons (see
> https://issues.jboss.org/browse/UNDERTOW-579).
>
> I don't know how practical it would be to de-couple the cookie value from
> the session ID. Could you just use a
> javax.servlet.http.HttpSessionIdListener to monitor session ID changes?
>
> Stuart
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: undertow-dev(a)lists.jboss.org
>> Sent: Friday, 22 January, 2016 11:44:53 AM
>> Subject: Re: [undertow-dev] sessionId changes between requests?
>>
>> Ok, found it. setChangeSessionIdOnLogin()
>>
>> Can I ask why this is done? Security reasons? To change the cookie?
>> If it is to change the cookie, would be really good in the future to
>> decouple the session cookie value from the session id so that plugins,
>> like Keycloak, that are remotely managing and monitoring sessions can
>> still do so without creating a security hole.
>>
>> On 1/21/2016 6:10 PM, Bill Burke wrote:
>>> Does a HttpSession ID change between requests? We are storing the
>>> current HttpSession ID at our IDP after login, then transmitting back to
>>> the app in a background HTTP request, looking up the session and then
>>> invalidating it. This used to work on Wildfly 8 and 9, in 10, looks like
>>> it is not the same http session.
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
7:50 a.m.
Is this safe for load balancers and sticky sessions?
On 1/22/2016 12:14 AM, Stuart Douglas wrote:
Something to be aware of is that in Servlet 3.1 users can also
trigger this change by calling javax.servlet.http.HttpServletRequest.changeSessionId().
Not sure if that will also cause issues for you or not.
Stuart
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stuart Douglas" <sdouglas(a)redhat.com>
> Cc: undertow-dev(a)lists.jboss.org
> Sent: Friday, 22 January, 2016 3:29:29 PM
> Subject: Re: [undertow-dev] sessionId changes between requests?
>
> Maybe a decoupling of cookie from session ID isn't very feasible...I
> guess I can just turn off the "changeSessionIdOnLogin" switch and change
> the ID within the authenticator instead.
>
> On 1/21/2016 10:28 PM, Stuart Douglas wrote:
>> This was done for security reasons (see
>> https://issues.jboss.org/browse/UNDERTOW-579).
>>
>> I don't know how practical it would be to de-couple the cookie value from
>> the session ID. Could you just use a
>> javax.servlet.http.HttpSessionIdListener to monitor session ID changes?
>>
>> Stuart
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: undertow-dev(a)lists.jboss.org
>>> Sent: Friday, 22 January, 2016 11:44:53 AM
>>> Subject: Re: [undertow-dev] sessionId changes between requests?
>>>
>>> Ok, found it. setChangeSessionIdOnLogin()
>>>
>>> Can I ask why this is done? Security reasons? To change the cookie?
>>> If it is to change the cookie, would be really good in the future to
>>> decouple the session cookie value from the session id so that plugins,
>>> like Keycloak, that are remotely managing and monitoring sessions can
>>> still do so without creating a security hole.
>>>
>>> On 1/21/2016 6:10 PM, Bill Burke wrote:
>>>> Does a HttpSession ID change between requests? We are storing the
>>>> current HttpSession ID at our IDP after login, then transmitting back to
>>>> the app in a background HTTP request, looking up the session and then
>>>> invalidating it. This used to work on Wildfly 8 and 9, in 10, looks like
>>>> it is not the same http session.
>>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>>> _______________________________________________
>>> undertow-dev mailing list
>>> undertow-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
4:33 p.m.
Yes, at least with the way we implement it. When a session is generated it has the node id
appended to the end of the session (so the session ID will look something like
ASDGAWG242AF.node1 ). Both sessions will end up with the same node ID in this case.
We don't maintain an internal map of session ID -> node id, but even if we did it
would still work, because that map should be updated when the new cookie is generated.
Stuart
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stuart Douglas" <sdouglas(a)redhat.com>
Cc: undertow-dev(a)lists.jboss.org
Sent: Saturday, 23 January, 2016 12:50:30 AM
Subject: Re: [undertow-dev] sessionId changes between requests?
Is this safe for load balancers and sticky sessions?
On 1/22/2016 12:14 AM, Stuart Douglas wrote:
> Something to be aware of is that in Servlet 3.1 users can also trigger this
> change by calling javax.servlet.http.HttpServletRequest.changeSessionId().
>
> Not sure if that will also cause issues for you or not.
>
> Stuart
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stuart Douglas" <sdouglas(a)redhat.com>
>> Cc: undertow-dev(a)lists.jboss.org
>> Sent: Friday, 22 January, 2016 3:29:29 PM
>> Subject: Re: [undertow-dev] sessionId changes between requests?
>>
>> Maybe a decoupling of cookie from session ID isn't very feasible...I
>> guess I can just turn off the "changeSessionIdOnLogin" switch and
change
>> the ID within the authenticator instead.
>>
>> On 1/21/2016 10:28 PM, Stuart Douglas wrote:
>>> This was done for security reasons (see
>>> https://issues.jboss.org/browse/UNDERTOW-579).
>>>
>>> I don't know how practical it would be to de-couple the cookie value
from
>>> the session ID. Could you just use a
>>> javax.servlet.http.HttpSessionIdListener to monitor session ID changes?
>>>
>>> Stuart
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>> To: undertow-dev(a)lists.jboss.org
>>>> Sent: Friday, 22 January, 2016 11:44:53 AM
>>>> Subject: Re: [undertow-dev] sessionId changes between requests?
>>>>
>>>> Ok, found it. setChangeSessionIdOnLogin()
>>>>
>>>> Can I ask why this is done? Security reasons? To change the cookie?
>>>> If it is to change the cookie, would be really good in the future to
>>>> decouple the session cookie value from the session id so that plugins,
>>>> like Keycloak, that are remotely managing and monitoring sessions can
>>>> still do so without creating a security hole.
>>>>
>>>> On 1/21/2016 6:10 PM, Bill Burke wrote:
>>>>> Does a HttpSession ID change between requests? We are storing the
>>>>> current HttpSession ID at our IDP after login, then transmitting
back
>>>>> to
>>>>> the app in a background HTTP request, looking up the session and
then
>>>>> invalidating it. This used to work on Wildfly 8 and 9, in 10, looks
>>>>> like
>>>>> it is not the same http session.
>>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>>
>>>> _______________________________________________
>>>> undertow-dev mailing list
>>>> undertow-dev(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3228
days inactive
3229
days old
6 comments
2 participants
participants (2)
-
Bill Burke -
Stuart Douglas