Recently I was asked to do a session fixation protection to our intranet web application which is running in jboss 5.1.0. The solution for this is to geneate a new session id after successful login.
So I searched the forum for any solution, not successful. But what I understood si with the jboss / tomcat we can't do any thing so that it will be taken care by the AS. I need to write a Valve to do the job. Means for login request invalidate the existing session and genetate a new session and id in the Valve implementation.
If I am going for Valve I need to depend on the JBoss library, which I don't want. Can any one suggest any solution or Valve is the only solution?.