Hi,

  Recently I was asked to do a session fixation protection to our intranet web application which is running in jboss 5.1.0.  The solution for this is to geneate a new session id after successful login.

So I searched the forum for any solution, not successful. But what I understood si with the  jboss / tomcat we can't do any thing so that it will be taken care by the AS. I need to write a Valve to do the job. Means for login request invalidate the existing session and genetate a new session and id in the Valve implementation.

If I am going for Valve I need to depend on the JBoss library, which I don't want. Can  any one suggest any solution or Valve is the only solution?.

Urgent help is required. Thanks in adavance.

-Suresh