1 Reply Latest reply on Oct 12, 2012 3:04 AM by sfcoy

Session-fixation and org.apache.catalina.connector.Request.SESSION_ID_CHECK

selfcare Oct 11, 2012 8:03 AM

Hi,

Am using Jboss AS 5.1.0 GA.

And am trying to work on Session-fixation concept in Jboss AS. Since, Session is created by App server, its the responsibility of the App server to create a new Session when a user logs in. This is to prevent Session-fixaction attack.

As I search this forum, am starting to believe that creating a new Session after user logs in cannot be achieved in Jboss AS. Please refer these links(although the links are old. I didnt get new posts on this concept) https://community.jboss.org/message/126090#126090 and https://community.jboss.org/message/139808#139808. Many other links are there from other forums.

But, after going throught this link https://community.jboss.org/message/548147#548147 , am feeling somehow it can be achieved by setting this value org.apache.catalina.connector.Request.SESSION_ID_CHECK as "true" or "false". Is it so?

If so, this value is there in a Jar file, is it configurable in some property file?

Most importantly, can a new Session be created after a user logs in in Jboss AS?

Regards,

1. Re: Session-fixation and org.apache.catalina.connector.Request.SESSION_ID_CHECK

sfcoy Oct 12, 2012 3:04 AM (in response to selfcare)
According to http://docs.jboss.org/jbossweb/2.1.x/sysprops.html it's a system property.

You can set this by adding:

{code}-Dorg.apache.catalina.connector.Request.SESSION_ID_CHECK=true{code}

to the value of the JAVA_OPTS environment variable to $JBOSS_HOME/bin/run.conf or %JBOSS_HOME%\bin\run.conf.bat files as appropriate.

You can also mitigate this problem by adding:

{code}<%
Session tempSession = request.getSession(false);
if (tempSession != null)
tempSession.invalidate();
%>{code}

to the JSP that you have configured for your form login, or equivalent if it's not a JSP.
Actions