5 Replies Latest reply on May 26, 2016 7:38 AM by nick.sree

    Wildfly 10 changeSessionId returns the same session id

    nick.sree

      We are using spring security ChangeSessionIdAuthenticationStrategy to avoid session fixation exploitation, for a single app server this works fine but when we loadbalace to mulitple app servers the changeSessionId method in HttpServletRequest returns same old session id. Any help could be appreciated.

        • 1. Re: Wildfly 10 changeSessionId returns the same session id
          pferraro

          WildFly 10 automatically changes the session ID following authentication - so I don't understand the need for spring here.


          First question: Is your web application <distributable/> in either or both scenarios (i.e. single server vs load balanced against multiple servers)?

          • 2. Re: Wildfly 10 changeSessionId returns the same session id
            nick.sree

            pferraro thanks, Let me check once again if wildfly itself do the changing of session id, but i didn't see its changing before i applied spring one. My web app doesn't have distributable in web.xml, we are managing session using spring-session with redis.

             

            Adding one more info in wildfly 9.0.2.Final / ubuntu environment we are not facing this issue but in wildfly.10.0.0.Final /RHEL (production) we are facing this problem.

             

            Update :

                           I checked it by removing spring but this time its not changing the sessionid.

            • 3. Re: Wildfly 10 changeSessionId returns the same session id
              nick.sree

              pferraro we found the issue, it was due to the time difference between the two app server, now we synced our ntp and it started working.

              • 4. Re: Wildfly 10 changeSessionId returns the same session id
                pferraro

                That's good to hear.

                In general, though, I would recommend against using a session filter-based mechanism for distributed web sessions.  While I understand the appeal of a container-independent solution, this design has some inherent issues:

                • Incompatible with container managed authentication/authorization.
                • Modifications to the session outside the context of the filter (e.g. by the container, other filters higher up the chain) are lost on

                failover, since these will never be visible to other nodes (since these won't touch the distributed cache)

                • Access to the session outside the context of the filter (e.g. by the container, other filters higher up the chain) can read stale data
                • It violates the servlet specification in a number of areas:
                  • HttpSessionIdChangedListeners are never triggered
                  • HttpSessionActivationListeners are not triggered appropriately on replication/passivation/activation
                  • HttpSessionListeners will trigger inconsistently, potentially prematurely, and on multiple nodes

                ... to name a few.

                1 of 1 people found this helpful
                • 5. Re: Wildfly 10 changeSessionId returns the same session id
                  nick.sree

                  pferraro thank you for explaining it in detail, let me explore on the areas you have mentioned as issues of using it with the help of spring-session community.  I can carry each of these concerns to them and let me see how to go forward. Thanks a lot...