1 Reply Latest reply on Feb 26, 2014 4:41 AM by jharting

    Switching HTTPSession after successful login to prevent Session Fixation


      Hello all,


      I'm working at the moment on a JSF web project, using JBoss AS 7.1.1.Final and Mojarra 2.1.7 (Mojarra 2.1.7-jbossorg-1). As an outcom of an security review, we have the requirement to switch the HTTPSession after a successful login of the user. This is based on a recommendation of the OWASP (see https://www.owasp.org/index.php/Session_Fixation)


      As I worked previously on a web project based on Apache Wicket, I was very confident, that this wouldn't be a big Issue. As it turns out now, I need some help here.


      We are using on the login page some session scoped Beans (Using CDI Named - Annotation). In order to switch the HTTP Session, I use during the login-process geht following code:



            HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false);




      As the CDI - Context is removed at the end of the RequestCycle, of course the previosly managed session beans are gone. And I didn't find a way to preserve the beans into the newly created CDI Context.


      What I am looking for is a way to switch the underlying HTTPSession without destroying the CDI Context. In Apache Wicket there is a very convenient Method on the Session - Class : org.apache.wicket.Session.replaceSession(), which replaces the underlying HTTP Session but preserves the Wicket Session. Does there anything similar exists in JSF with CDI.


      I posted this question already in the JSF Forum, but I haven't got an answer yet. That's why I try it here again.


      Any help would be greatly appreciated