1 Reply Latest reply on Oct 12, 2012 3:04 AM by Stephen Coy

    Session-fixation and org.apache.catalina.connector.Request.SESSION_ID_CHECK

    Vikas V Newbie

      Hi,

       

      Am using Jboss AS 5.1.0 GA.

       

      And am trying to work on Session-fixation concept in Jboss AS. Since, Session is created by App server, its the responsibility of the App server to create a new Session when a user logs in. This is to prevent Session-fixaction attack.

       

      As I search this forum, am starting to believe that creating a new Session after user logs in cannot be achieved in Jboss AS. Please refer these links(although the links are old. I didnt get new posts on this concept) https://community.jboss.org/message/126090#126090 and https://community.jboss.org/message/139808#139808. Many other links are there from other forums.

       

      But, after going throught this link https://community.jboss.org/message/548147#548147 , am feeling somehow it can be achieved by setting this value org.apache.catalina.connector.Request.SESSION_ID_CHECK as "true" or "false".  Is it so?

       

      If so, this value is there in a Jar file, is it configurable in some property file?

       

      Most importantly, can a new Session be created after a user logs in in Jboss AS?

       

      Regards,