Hi group,
i have already posted this to jboss-user ml with no success so I hope I don't get slapped for crossposting...
We are currently looking for ways to improve the security in our web applications to prevent session fixation.
We are looking for ways to generate a new session ID after an user has been authenticated.
This is our scenario:
- The webapplication contains public and private content
- public content is available by http, private/restricted content is only available by https
- If the user is logging in, communication is done only by https
We now want to generate a new session ID for the user session once he has authenticated in order to prevent session fixation / session hijacking (e.g. if chuck sniffes the http - communication / user doesn't use cookies and publishes a link with ;jsessionid-parameter).
The solutions found so far suggested all a
HttpServletRequest.getSession(true) after an invalidation:
if (!session.isNew()) { session.invalidate(); // Invalidate old Session session= request.getSession(true); // Create new Session ID }
System.out.println(session.getID()); // Prints "Foo" session.invalidate(); // Invalidate old HttpSession session= request.getSession(true); // Should create new SessionID System.out.println(session.getID()); // Prints "Foo" again.