Hello all,

I'm working at the moment on a JSF web project, using JBoss AS 7.1.1.Final and Mojarra 2.1.7 (Mojarra 2.1.7-jbossorg-1). As an outcom of an security review, we have the requirement to switch the HTTPSession after a successful login of the user. This is based on a recommendation of the OWASP (see https://www.owasp.org/index.php/Session_Fixation)

As I worked previously on a web project based on Apache Wicket, I was very confident, that this wouldn't be a big Issue. As it turns out now, I need some help here.

We are using on the login page some session scoped Beans (Using CDI Named - Annotation). In order to switch the HTTP Session, I use during the login-process geht following code:

      HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false);

      session.invalidate();

      FacesContext.getCurrentInstance().getExternalContext().getSession(true);

As the CDI - Context is removed only at the end of the RequestCycle, of course the previosly managed Sessionbeans are gone. And I didn't find a way to preserve the beans into the newly created CDI Context.

What I am looking for is a way to switch the underlying HTTPSession without destroying the CDI Context. In Apache Wicket there is a very convenient Method on the Session - Class : org.apache.wicket.Session.replaceSession(), which replaces the underlying HTTP Session but preserves the Wicket Session. Does there anything similar exists in JSF.

Any help would be greatly appreciated

Greetings,

Thomas