Hi,

Any ideas on this?

On jboss eap6 this can be solved adding this to standalone.xml

<system-properties>

          <property name="org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH" value="true"/>

</system-properties>

Since widlfy uses undertow this solution is not valid.

I don't think Undertow has a built-in Handler for this, but you can easily address this with a ServletFilter, e.g.

public class MitigateSessionFixationFilter implements Filter {
    public void init(FilterConfig config) {
    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        if (request instanceof HttpServletRequest) {
            HttpServletRequest req = (HttpServletRequest) request;
            boolean authenticated = req.getUserPrincipal() != null;
            chain.doFilter(request, response);
            HttpSession session = req.getSession(false);
            if ((session != null) && !session.isNew()) {
                if (!authenticated && (req.getUserPrincipal() != null)) {
                    req.changeSessionId();
                }
            }
        } else {
            chain.doFilter(request, response);
        }
    }

    public void destroy() {
    }
}

In the meantime, I've opened https://issues.jboss.org/browse/UNDERTOW-579.

The ticket https://issues.jboss.org/browse/UNDERTOW-579. is done but 1.1.10 is not released. I also facing this issue but can not upgrade to have the fix.