-
1. Re: OWASP / New Session after Login
shane.bryzak Jan 1, 2008 7:09 PM (in response to ahus1)Seam currently doesn't support generating a new session in the middle of a request, however the owasp.org page you cited contains a great list of points. Feel free to raise this in JIRA and assign to me (and please include the URL to the list), that way it won't get swept under the rug.
-
2. Re: OWASP / New Session after Login
ahus1 Jan 5, 2008 3:54 PM (in response to ahus1)I found the following workaround to assure that there is a new session after a login: by destroying the original session before the login using a small filter.
This is only a workaround as it destroys the previous session completly -- anything i.e. in a shopping basket will be lost (as my application doesn't have a shopping basket this is not a problem for me).
A "nice" implementation in seam shouldn't have this limitation.
I will open a ticket shortly.
Alexander.
The Java Class:/** * This filter enforces a new session whenever there is a POST, should be mapped * to the URL of the login page in your web.xml * @author Alexander Schwartz 2007 */ public class NewSessionFilter implements Filter { private Log log = LogFactory.getLog(NewSessionFilter.class); private String url; public void destroy() { // empty. } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (request instanceof HttpServletRequest) { HttpServletRequest httpRequest = (HttpServletRequest) request; if (httpRequest.getMethod().equals("POST") && httpRequest.getSession() != null && !httpRequest.getSession().isNew() && httpRequest.getRequestURI().endsWith(url)) { httpRequest.getSession().invalidate(); httpRequest.getSession(true); log.info("new Session:" + httpRequest.getSession().getId()); } } chain.doFilter(request, response); } public void init(FilterConfig filterConfig) throws ServletException { url = filterConfig.getInitParameter("url"); if (url == null) { throw new ServletException( "please specify parameter 'url' with login URL"); } } }
The web.xml:<filter> <display-name>NewSessionFilter</display-name> <filter-name>NewSessionFilter</filter-name> <filter-class> NewSessionFilter </filter-class> <init-param> <param-name>url</param-name> <param-value>/iss/login.jsf</param-value> </init-param> </filter> <filter-mapping> <filter-name>NewSessionFilter</filter-name> <servlet-name>Faces Servlet</servlet-name> <url-pattern>/iss/login.jsf</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
-
3. Re: OWASP / New Session after Login
ahus1 Jan 5, 2008 4:25 PM (in response to ahus1)There's now
http://jira.jboss.org/jira/browse/JBSEAM-2450
Everybody is free to WATCH this ticket and to VOTE for it.
Thanks, Alexander.