File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JBoss/WildFly and the fly likes Changing the session id on Login Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Changing the session id on Login" Watch "Changing the session id on Login" New topic
Author

Changing the session id on Login

Joshua Antony
Ranch Hand

Joined: Jun 05, 2006
Posts: 254
Hi All,

I want to change the session id of the user when he logs in to the application to prevent against session fixation . I have tried below with no luck -

1. Invalidate the session before log in by session.invalidate()- this results in side effects since we have many session scoped components which cannot be ignored on log in
2. Use valve to invalidate session - again this resulted in lot of side effects due to session scoped components


So, just looking for a way to change the session id instead of invalidate the old session. I think this can be achieved in latest tomcat version by calling ManagerBase.changeSesionId() , but unfortunately I am running with old JBoss

Any help is highly appreciated.

Regards,
Joshua


SCJP,SCWCD, Into ATG now!
Prashant Chotu
Greenhorn

Joined: Jun 28, 2012
Posts: 19
1. You can use the below utility function. This invalidates existing session and create a new session copied all the attributes except JSESSIONID from the existing session.

public static def invalidateExistingSessionAndCreateNewSession(def session, def request){
def sessionAttributes = session.attributeNames
def map = new HashMap()
def attributeName
while (sessionAttributes.hasMoreElements()){
attributeName = sessionAttributes.nextElement()
if(!"JSESSIONID".equalsIgnoreCase(attributeName)){
map.put(attributeName, session.getValue(attributeName))
}
}
session.invalidate()
session = request.getSession(true)
Set entrySet = map.entrySet()
Map.Entry entry
for(Iterator i = entrySet.iterator();i.hasNext();){
entry = (Map.Entry)i.next();
session.setAttribute(entry.getKey(),entry.getValue())
}
return session
}

2. If you make use of Valve in Context, then I think the session gets renamed. Its existing attributes do not get destroyed.

Thanks,
Prashant Gupta
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Changing the session id on Login
 
Similar Threads
Is it possible to merge two session?
How to block multiple logins of the same user
Deleting session deletes all my sessions
How to invalidate user's session forcefully
Handle session ID after deleting cookies