Is it possible to create a new Session ID using session.inva

jbosstak Nov 2, 2007 7:18 AM

For the following code?I was able to create a new Session ID under Tomcat5.5.
However, Session ID was the same under JBoss4.21GA.

session = request.getSession(true);
 out.println("session id=" + session.getId());

 request.getSession(true).invalidate();
 session = request.getSession(true);
 out.println("session id=" + session.getId());

To prevent Session Fixation Attack , I hope to create a new Session ID after the Login process.

If it is possible, could you please tell me the way ?

Thank you.

1. Re: Is it possible to create a new Session ID using session.

jfclere Nov 2, 2007 7:26 AM (in response to jbosstak)

You can't create a new SessionID when you have received a SessionID in the request.
Actions
2. Re: Is it possible to create a new Session ID using session.

jbosstak Nov 4, 2007 9:18 PM (in response to jbosstak)

Thank you for reply.

I could understand it is impossible to create a new SessionID under JBoss.

Are there any recommendation way to prevent Session Fixation Attack under JBoss?

If there are any recommendation way, could you please teach it to me ?

Thank you.
Actions

Go to original post