[jboss-user] Session fixation / getSession(true) does not create new SessionID
Ludwig Adam
ladam at petafuel.de
Wed May 16 12:29:24 EDT 2007
Hi group,
we are currently looking for ways to improve the security in our web
applications to prevent session fixation.
We are looking for ways to generate a new session ID after an user has
been authenticated.
This is our scenario:
- The webapplication contains public and private content
- public content is available by http, private/restricted content is
only available by https
- If the user is logging in, communication is done only by https
We now want to generate a new session ID for the user session once he
has authenticated in order to prevent session fixation / session
hijacking (e.g. if chuck sniffes the http - communication / user doesn't
use cookies and publishes a link with ;jsessionid-parameter).
The solutions found so far suggested all a
HttpServletRequest.getSession(true) after an invalidation:
if (session.isNew()) {
session.invalidate(); // Invalidate old Session
session= request.getSession(true); // Create new Session ID
}
However running this code on JBoss does not show the expected
beheaviour, no new session id is created.
System.out.println(session.getID()); // Prints "Foo"
session.invalidate(); // Invalidate old Session
session= request.getSession(true); // Should create new SessionID
System.out.println(session.getID()); // Prints "Foo" again.
Any hints how we can work around this issue or what we are doing wrong
here are greatly appreciated.
Thanks,
Ludwig
More information about the jboss-user
mailing list