Hi group,
i have already posted this to jboss-user ml with no success so I hope I don't get slapped for crossposting...

We are currently looking for ways to improve the security in our web applications to prevent session fixation.
We are looking for ways to generate a new session ID after an user has been authenticated.

This is our scenario:

- The webapplication contains public and private content
- public content is available by http, private/restricted content is only available by https
- If the user is logging in, communication is done only by https

We now want to generate a new session ID for the user session once he has authenticated in order to prevent session fixation / session hijacking (e.g. if chuck sniffes the http - communication / user doesn't use cookies and publishes a link with ;jsessionid-parameter).

The solutions found so far suggested all a
HttpServletRequest.getSession(true) after an invalidation:

if (!session.isNew()) {
 session.invalidate(); // Invalidate old Session
 session= request.getSession(true); // Create new Session ID }

However running this code on JBoss does not show the expected behaviour, no new session id is created.

System.out.println(session.getID()); // Prints "Foo"
session.invalidate(); // Invalidate old
HttpSession session= request.getSession(true); // Should create new SessionID
System.out.println(session.getID()); // Prints "Foo" again.

Any hints how we can work around this issue or what we are doing wrong here are greatly appreciated.

Thanks,
Ludwig