Hi Akanksha,

I am experiencing the same problem.

It happens when a user logout and relogin using the same browser window.

I tried to google it a bit and tried the following but both do not work

1) setting -Dorg.apache.catalina.connector.Request.SESSION_ID_CHECK=true

2) removing jsessionid cookies when invalidate the session during logout

I am using jboss 4.2.3 here.

Hope someone can lend us a hand.

Did anyone find a solution to this ? I'm using jboss 4.2.3 as well.

When user goes to the welcome page ( not logged in yet ), a session id is created.

When user enters the credentials, and successfully logs in, the same session id is used.

I don't see this problem in Tomcat.

org.apache.catalina.connector.Request.SESSION_ID_CHECK does not work.

emptySessionPath in the Connector?


I read the documentation on SESSION_ID_CHECK and emptySessionPath. Can  you please explain how these solve the problem ? I guess these fixes have helped some and not worked for others.

SESSION_ID_CHECK allows a sessionif to be reused if it is already used in any application of the container.

emptySessionPath sets the cookie path to / so the cookie is shared between the webapps. (if you are using a portal you may need it).

I have tomcat 6.0.35 in local dev env and jboss 4.2.3 on unix. 

This problem only happens on jboss. If I make the tomcat within Jboss the same as my standalong local tomcat, it should work. Sounds simple.

Tomcat, by default shows the path in the http headers. Therefore, I set emptySessionPath="false" in \server\default\deploy\jboss-web.deployer\server.xml

Now I see the path. Great ! But that doesnt fix the problem.

Is it possible that changeSessionIdOnAuthentication is the culprit ? If so, where do I set this in Jboss ?

Quincy,Were you able to resolve the session id fixation problem ? If so , can you post it here. Thanks.

Since I'm using j_security_check authentication...how can the session be invalidated when using Container managed authentication ? My login module is in a common jar and I cannot modify that code. I would need some kind of a login pre processor to do this.

I think I have a simple solution. Invalidate the session and delete the cookie name jsessionid!

-- login page code:

a) Call the invalidate function for the httpsession

b) Tell client to delete the cookie named jsessionid

-- User example

1. User goes to webpage, which is http, gets a session and jsessionid

2. User goes to login page, which is HTTPS

3. The login page invalidates the session and deletes the jsessionid cookie for good measure

4. Whatever page the user goes to after the login page, is issued a new jsessionid cookie

Seems to work after some initial testing, but probably will have to experiment more. The one thing I need to verify is that the first jsessionid is indeed purged from the session id list.

I know there is a long time of this post, but I'm having the same problem!

But I'm using JBoss 7.x.x.

Is there any way to regen the sessionId to the user?

I'm using a custom login module.

I'm trying to find an answer as well. I don't understand why they rejected your ticket to begin with, it seemed valid on all points.

I agree with you.

I just commment on the issue to understand why he closed it.

To all the people that are having the same issue or problem, here is the issue that I created. AS7-5315

Reason: Fix the URL to the issue Message was edited by: Endrigo Antonini

I figured it out!! You need to write a custom FormAuthenticator that sets the change session id on authentication to true before the call to authenticate and add it as a valve in your jboss-web.xml.

Here's what I did:

Write a custom FormAuthenticator

import java.io.IOException;

import javax.servlet.http.HttpServletResponse;

import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.connector.Request;
import org.apache.catalina.deploy.LoginConfig;

public class MyAuthenticator
   extends FormAuthenticator
{ 
   @Override
   public boolean authenticate(final Request request,
      final HttpServletResponse response,
      final LoginConfig config) throws IOException
   {
      setChangeSessionIdOnAuthentication(true);

      return super.authenticate(request, response, config);
   }
}

Add the valve config to your jboss-web.xml

<jboss-web>
    <context-root>/<!-- your app context></context-root>
    <security-domain><!-- your domain --></security-domain>
    <valve>
        <class-name>com.domain.path.to.your.MyAuthenticator</class-name>
    </valve>
</jboss-web>

If you are using maven make sure you use the correct version of the catalina libraries. Add this to your pom.xml

<dependency>
      <groupId>org.apache.tomcat</groupId>
      <artifactId>tomcat-catalina</artifactId>
      <version>7.0.27</version>
      <scope>provided</scope>
</dependency>

That's all I had to do on AS7 (7.0.2). On 7.1.1 I believe its the same approach but instead of extending the FormAuthenticator from the catalina jar you need to work with the org.jboss.as.web.security.ExtendedFormAuthenticator.

The session is now changed prior to authentication and sesson fixation is no longer an issue.

Thanks Greco!

I'll try this solution!!