1 2 Previous Next 15 Replies Latest reply on Jan 9, 2020 3:45 AM by bschatz Go to original post
      • 15. Re: JSESSION ID is not changing after authentication

        pferraro  wrote:


        bschatz   wrote:


        The jsessionid *must not* change after login,

        this would violate the servlet specification.  (Chapter Security, Login and Logout):


        ,, ...

        Containers may create HTTP Session objects to track login state. If a developer

        creates a session while a user is not authenticated, and the container then

        authenticates the user, the session visible to developer code after login must be the

        same session object that was created prior to login occurring so that there is no loss

        of session information.''


        So the behavour of wildfly is as specified.


        I think you are misinterpreting the specification.  This above snippet says nothing about the session identifier, only the session object.  A session identifier is a property of a session object and can change independently.  Thus the session object can be the same before and after login, even if the identifier changes.  Nor is the old session identifier truly "lost", as it is available to registered HttpSessionIdListeners.

        Good point, thx for the clarification.

        1 2 Previous Next