aspose file tools*
The moose likes JBoss/WildFly and the fly likes Changing the session id on Login Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Changing the session id on Login" Watch "Changing the session id on Login" New topic
Author

Changing the session id on Login

Joshua Antony
Ranch Hand

Joined: Jun 05, 2006
Posts: 254
Hi All,

I want to change the session id of the user when he logs in to the application to prevent against session fixation . I have tried below with no luck -

1. Invalidate the session before log in by session.invalidate()- this results in side effects since we have many session scoped components which cannot be ignored on log in
2. Use valve to invalidate session - again this resulted in lot of side effects due to session scoped components


So, just looking for a way to change the session id instead of invalidate the old session. I think this can be achieved in latest tomcat version by calling ManagerBase.changeSesionId() , but unfortunately I am running with old JBoss

Any help is highly appreciated.

Regards,
Joshua


SCJP,SCWCD, Into ATG now!
Prashant Chotu
Greenhorn

Joined: Jun 28, 2012
Posts: 19
1. You can use the below utility function. This invalidates existing session and create a new session copied all the attributes except JSESSIONID from the existing session.

public static def invalidateExistingSessionAndCreateNewSession(def session, def request){
def sessionAttributes = session.attributeNames
def map = new HashMap()
def attributeName
while (sessionAttributes.hasMoreElements()){
attributeName = sessionAttributes.nextElement()
if(!"JSESSIONID".equalsIgnoreCase(attributeName)){
map.put(attributeName, session.getValue(attributeName))
}
}
session.invalidate()
session = request.getSession(true)
Set entrySet = map.entrySet()
Map.Entry entry
for(Iterator i = entrySet.iterator();i.hasNext();){
entry = (Map.Entry)i.next();
session.setAttribute(entry.getKey(),entry.getValue())
}
return session
}

2. If you make use of Valve in Context, then I think the session gets renamed. Its existing attributes do not get destroyed.

Thanks,
Prashant Gupta
 
Consider Paul's rocket mass heater.
 
subject: Changing the session id on Login