[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Is it possible to create a new Session ID using session.inva

Fri Nov 2 07:18:27 EDT 2007

For the following code?I was able to create a new Session ID under Tomcat5.5.
However, Session ID was the same under JBoss4.21GA.

 session = request.getSession(true);
  |  out.println("session id=" + session.getId());
  | 
  |  request.getSession(true).invalidate();
  |  session = request.getSession(true);
  |  out.println("session id=" + session.getId());

To prevent Session Fixation Attack , I hope to create a new Session ID after the Login process.

If it is possible, could you please tell me the way ?

Thank you.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4101250#4101250

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4101250