0 Replies Latest reply on Jul 24, 2012 8:37 AM by Bajrang Asthana

    Problem with jsession id

    Bajrang Asthana Newbie

      I need workaround for below-

       

      As I guess there is known issues with jsession id. JBoss does not genereate a new session id after logout(in the same brwoser) or browser uses same session id for all user's login. Session id is alive till max session period specified in web.xml. Actually I am using Seam framework, and while logout we call Seam.invalidateSession() method to invalidate session but after debuuging I found that browser was using same session id after logout and all the session variables are alive (that must be unbounded after logout). I have also tried Identity.instance().logout(), unfortunately it is also not working.

       

      I want to know how can we unbound all session varible and avoid session hijack or cookies theft.

       

      I am using JBoss 4.2.2.GA