[jboss-user] [JBoss Seam] - Re: sessionId cookie: man-in-the-middle attack

avbentem do-not-reply at jboss.com
Sun Jun 3 09:24:17 EDT 2007


"fguerzoni" wrote : forcing a pre-login session invalidation and a new session creation   (request.getSession(true)) as soon as client authenticates. Old session data should then be copied to new session.
  | In this case a new sessionId cookie will be sent to client: client will use this ticket during next requests.
I think the changes for this JBSEAM-1361 cover Gavin's proposal in this forum topic, but note that existing session data might not be preserved. The session is invalidated using Seam#invalidateSession(), and I think at that point any old session data is lost.

But: I'm not sure; comments welcome!

Arjan.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4050742#4050742

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4050742



More information about the jboss-user mailing list