-
15. Re: Change of jsessionid after login
It works!!! Thank's man!!
I think the author of the topic should make your post as the answer.
-
16. Re: Change of jsessionid after login
hm I think I screwed it: org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH=true should do the job too no?
-
17. Re: Change of jsessionid after login
Are you suggesting Jean-Frederic of adding this property in standalone.xml ?
<system-properties>
<property name="org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH" value="true"/>
</system-properties>
I think I'm facing the same issue even if this is defined.
Thanks,
-
18. Re: Change of jsessionid after login
It works for me.
I have tried a BASIC authentication I see the sessionid change after authentication (after visiting a page with a security-constraint) and programatic login.
-
19. Re: Change of jsessionid after login
If I read the replies correct, the both solutions are for AS7, I have try at AS 4.2.3, both of them not worked,
1)not having this method: FormAuthenticator.setChangeSessionIdOnAuthentication(true)
2)not having the fields:
Dorg.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH=true
Dorg.apache.catalina.connector.Request.SESSION_ID_CHECK=true
-
-
21. Re: Change of jsessionid after login
Any one can solve this issue on AS 4.2.3 ? , Mr.Bond Chan How can u solve issue with AS 4.2.3 .
Thank you for the answer.
-
22. Re: Change of jsessionid after login
You can't (or you have to change several classes). Upgrade to a never version.
-
23. Re: Change of jsessionid after login
Thank you for your reply. By the way we will upgrade to newer version.
-
24. Re: Change of jsessionid after login
Dear Mathieu and Jean-Frederic, thanks a lot, worked indeed for AS 7.2.x
-
25. Re: Change of jsessionid after login
I've managed to successfully change session id on authentication on JBoss 4.2.3 GA. Below is the code required to do this. Basically its a reimplementation of the missing methods that exist in future versions of JBoss.
@Name("loginManager")
@Scope(ScopeType.CONVERSATION)
public class LoginManager extends Controller {
@In(create = true) Identity identity;
public String login() throws LoginException {
.... custom login code...
}
@Observer(value="org.jboss.seam.security.loginSuccessful",create=false) public void onLoginSuccessful() {
SessionData.changeSessionId(); }
}
@Name("sessionData")
public class SessionData {
public static String changeSessionId() {
/*
* this method adds missing functionality present in future versions of jboss (AS 7).
* it reproduces the following piece of code taken from AuthenticatorBase.register(...),
* assuming that 'changeSessionIdOnAuthentication' variable is set to true
* http://www.docjar.com/html/api/org/apache/catalina/authenticator/AuthenticatorBase.java.html
*
if (session != null && changeSessionIdOnAuthentication) {
Manager manager = request.getContext().getManager();
manager.changeSessionId(session);
request.changeSessionId(session.getId());
}
*/
HttpServletRequest httpServletRequest = ((HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest());
HttpSession httpSession = httpServletRequest.getSession();
String sessionId = httpSession.getId();
System.out.println("Current SessionId: " + sessionId);
try
{
// request.session
Field sessionField = httpSession.getClass().getDeclaredField("session");
sessionField.setAccessible(true);
StandardSession standardSession = (StandardSession) sessionField.get(httpSession);
/*
* replicate the missing method: ManagerBase.changeSessionId(Session session)
* http://www.docjar.com/html/api/org/apache/catalina/session/ManagerBase.java.html
*/
// session.manager
Manager manager = standardSession.getManager();
// manager.generateSessionId
Method generateSessionIdMethod = ManagerBase.class.getDeclaredMethod("generateSessionId");
generateSessionIdMethod.setAccessible(true);
// change session id
String newSessionId = (String) generateSessionIdMethod.invoke(manager);
standardSession.setId(newSessionId);
/*
* replicate the missing method: Request.changeSessionId(String newSessionId)
* http://www.docjar.com/html/api/org/apache/catalina/connector/Request.java.html
*/
RequestFacade requestFacade = (RequestFacade) ((ServletRequestWrapper) httpServletRequest).getRequest();
Field requestField = RequestFacade.class.getDeclaredField("request");
requestField.setAccessible(true);
Request request = (Request) requestField.get(requestFacade);
Response response = request.getResponse();
Context context = request.getContext();
if (response != null)
{
Cookie newCookie = new Cookie(Globals.SESSION_COOKIE_NAME, newSessionId);
newCookie.setMaxAge(-1);
String contextPath = null;
if (!response.getConnector().getEmptySessionPath() && (context != null)) {
contextPath = context.getEncodedPath();
}
if ((contextPath != null) && (contextPath.length() > 0)) {
newCookie.setPath(contextPath);
} else {
newCookie.setPath("/");
}
if (request.isSecure()) {
newCookie.setSecure(true);
}
response.addCookieInternal(newCookie);
}
System.out.println("New SessionId: " + newSessionId);
return newSessionId;
} catch (IllegalArgumentException e) {
e.printStackTrace();
} catch (SecurityException e) {
e.printStackTrace();
} catch (IllegalAccessException e) {
e.printStackTrace();
} catch (NoSuchFieldException e) {
e.printStackTrace();
} catch (InvocationTargetException e) {
e.printStackTrace();
} catch (NoSuchMethodException e) {
e.printStackTrace();
}
return sessionId;
}
}
-
26. Re: Change of jsessionid after login
Hi All,
I have a security issue in the application, for this to fix I have to change JSESSIONID after user login, but this is not happening.
I am using JBOSS EAP 5.1, can any one help on this.
-
27. Re: Change of jsessionid after login
If you are using EAP 5.1 you probably have other security issues, try upgrade to a supported version like 6.4.9