0 Replies Latest reply on May 21, 2007 5:17 AM by Ludwig Adam

    Session fixation problem

    Ludwig Adam Newbie

      Hi group,
      i have already posted this to jboss-user ml with no success so I hope I don't get slapped for crossposting...

      We are currently looking for ways to improve the security in our web applications to prevent session fixation.
      We are looking for ways to generate a new session ID after an user has been authenticated.

      This is our scenario:

      - The webapplication contains public and private content
      - public content is available by http, private/restricted content is only available by https
      - If the user is logging in, communication is done only by https

      We now want to generate a new session ID for the user session once he has authenticated in order to prevent session fixation / session hijacking (e.g. if chuck sniffes the http - communication / user doesn't use cookies and publishes a link with ;jsessionid-parameter).

      The solutions found so far suggested all a
      HttpServletRequest.getSession(true) after an invalidation:

      if (!session.isNew()) {
       session.invalidate(); // Invalidate old Session
       session= request.getSession(true); // Create new Session ID }


      However running this code on JBoss does not show the expected behaviour, no new session id is created.

      System.out.println(session.getID()); // Prints "Foo"
      session.invalidate(); // Invalidate old
      HttpSession session= request.getSession(true); // Should create new SessionID
      System.out.println(session.getID()); // Prints "Foo" again.


      Any hints how we can work around this issue or what we are doing wrong here are greatly appreciated.

      Thanks,
      Ludwig