[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-2450) OWASP / New Session after Login

ahus1 (JIRA) jira-events at lists.jboss.org
Sat Jan 5 16:23:59 EST 2008

OWASP / New Session after Login

                 Key: JBSEAM-2450
                 URL: http://jira.jboss.com/jira/browse/JBSEAM-2450
             Project: JBoss Seam
          Issue Type: Feature Request
    Affects Versions: 2.0.0.GA
         Environment: Linux 2.6, jetty 6.1.5, java 6
            Reporter: ahus1


OWASP has compiled a "top 10" vulnerablilities for web applications.

One suggestion against session hijacking was the following: Start a new HTTP-Session after a successful login:

"Consider regenerating a new session upon successful authentication or privilege level change."


Therefore there should be a (configurable?) switch to choose "continue with new session ID after successful log on"

I have thought of invalidating the current HTTP session, creating a new one and copying all elements from the old session to the new session in my Authenticator. But Seam 2.0.0 doesn't allow this: When I use the lowlevel functions this is blocked by IllegalStateException("Please end the HttpSession via Seam.invalidateSession()") in Lifecyle. When I use Seam.invalidateSession(), the session is only destroyed at the end of the request and I am unable to copy any objects in my Authenticator as the new session doesn't exist yet. 

The workaround I have come up with is a filter, that destroys the complete session before the log in. 

This is not very elegant, but it works for me as I don't have i.e. a shoping basket that I'd like to preserve.

A "nice" implementation in seam shouldn't have this limitation. 

shane.bryzak at jboss.com asked for this ticket to be assigned to her.

The Java Class:


 * This filter enforces a new session whenever there is a POST, should be mapped
 * to the URL of the login page in your web.xml
 * @author Alexander Schwartz 2007
public class NewSessionFilter implements Filter {
  private Log log = LogFactory.getLog(NewSessionFilter.class);
  private String url;
  public void destroy() {
    // empty.
  public void doFilter(ServletRequest request, ServletResponse response,
      FilterChain chain) throws IOException, ServletException {
    if (request instanceof HttpServletRequest) {
      HttpServletRequest httpRequest = (HttpServletRequest) request;
      if (httpRequest.getMethod().equals("POST")
          && httpRequest.getSession() != null
          && !httpRequest.getSession().isNew()
          && httpRequest.getRequestURI().endsWith(url)) {
        log.info("new Session:" + httpRequest.getSession().getId());
    chain.doFilter(request, response);
  public void init(FilterConfig filterConfig) throws ServletException {
    url = filterConfig.getInitParameter("url");
    if (url == null) {
      throw new ServletException(
          "please specify parameter 'url' with login URL");

The web.xml:


		<servlet-name>Faces Servlet</servlet-name>

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


More information about the seam-issues mailing list