File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JBoss/WildFly and the fly likes Changing the session id on Login Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Changing the session id on Login" Watch "Changing the session id on Login" New topic

Changing the session id on Login

Joshua Antony
Ranch Hand

Joined: Jun 05, 2006
Posts: 254
Hi All,

I want to change the session id of the user when he logs in to the application to prevent against session fixation . I have tried below with no luck -

1. Invalidate the session before log in by session.invalidate()- this results in side effects since we have many session scoped components which cannot be ignored on log in
2. Use valve to invalidate session - again this resulted in lot of side effects due to session scoped components

So, just looking for a way to change the session id instead of invalidate the old session. I think this can be achieved in latest tomcat version by calling ManagerBase.changeSesionId() , but unfortunately I am running with old JBoss

Any help is highly appreciated.


Prashant Chotu

Joined: Jun 28, 2012
Posts: 19
1. You can use the below utility function. This invalidates existing session and create a new session copied all the attributes except JSESSIONID from the existing session.

public static def invalidateExistingSessionAndCreateNewSession(def session, def request){
def sessionAttributes = session.attributeNames
def map = new HashMap()
def attributeName
while (sessionAttributes.hasMoreElements()){
attributeName = sessionAttributes.nextElement()
map.put(attributeName, session.getValue(attributeName))
session = request.getSession(true)
Set entrySet = map.entrySet()
Map.Entry entry
for(Iterator i = entrySet.iterator();i.hasNext();){
entry = (Map.Entry);
return session

2. If you make use of Valve in Context, then I think the session gets renamed. Its existing attributes do not get destroyed.

Prashant Gupta
I agree. Here's the link:
subject: Changing the session id on Login
It's not a secret anymore!