4 Replies Latest reply on May 9, 2016 6:29 AM by bvnghiem1012

    Session Fixation issue in Wildfly8.2


      Hi All,

         We are using wildfly8.2 in our application. And we use j_security_check for login.  Can anybody suggest how to solve session fixation issue.


      Thanks and Regards


        • 1. Re: Session Fixation issue in Wildfly8.2



          Any ideas on this?


          On jboss eap6 this can be solved adding this to standalone.xml



                    <property name="org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH" value="true"/>



          Since widlfy uses undertow this solution is not valid.

          • 2. Re: Session Fixation issue in Wildfly8.2

            I don't think Undertow has a built-in Handler for this, but you can easily address this with a ServletFilter, e.g.


            public class MitigateSessionFixationFilter implements Filter {
                public void init(FilterConfig config) {
                public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
                    if (request instanceof HttpServletRequest) {
                        HttpServletRequest req = (HttpServletRequest) request;
                        boolean authenticated = req.getUserPrincipal() != null;
                        chain.doFilter(request, response);
                        HttpSession session = req.getSession(false);
                        if ((session != null) && !session.isNew()) {
                            if (!authenticated && (req.getUserPrincipal() != null)) {
                    } else {
                        chain.doFilter(request, response);
                public void destroy() {


            In the meantime, I've opened https://issues.jboss.org/browse/UNDERTOW-579.

            • 3. Re: Session Fixation issue in Wildfly8.2

              Thank you so much

              • 4. Re: Session Fixation issue in Wildfly8.2

                The ticket https://issues.jboss.org/browse/UNDERTOW-579. is done but 1.1.10 is not released. I also facing this issue but can not upgrade to have the fix.