File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JBoss/WildFly and the fly likes Changing the session id on Login Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Changing the session id on Login" Watch "Changing the session id on Login" New topic

Changing the session id on Login

Joshua Antony
Ranch Hand

Joined: Jun 05, 2006
Posts: 254
Hi All,

I want to change the session id of the user when he logs in to the application to prevent against session fixation . I have tried below with no luck -

1. Invalidate the session before log in by session.invalidate()- this results in side effects since we have many session scoped components which cannot be ignored on log in
2. Use valve to invalidate session - again this resulted in lot of side effects due to session scoped components

So, just looking for a way to change the session id instead of invalidate the old session. I think this can be achieved in latest tomcat version by calling ManagerBase.changeSesionId() , but unfortunately I am running with old JBoss

Any help is highly appreciated.


Prashant Chotu

Joined: Jun 28, 2012
Posts: 19
1. You can use the below utility function. This invalidates existing session and create a new session copied all the attributes except JSESSIONID from the existing session.

public static def invalidateExistingSessionAndCreateNewSession(def session, def request){
def sessionAttributes = session.attributeNames
def map = new HashMap()
def attributeName
while (sessionAttributes.hasMoreElements()){
attributeName = sessionAttributes.nextElement()
map.put(attributeName, session.getValue(attributeName))
session = request.getSession(true)
Set entrySet = map.entrySet()
Map.Entry entry
for(Iterator i = entrySet.iterator();i.hasNext();){
entry = (Map.Entry);
return session

2. If you make use of Valve in Context, then I think the session gets renamed. Its existing attributes do not get destroyed.

Prashant Gupta
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
subject: Changing the session id on Login
Similar Threads
How to invalidate user's session forcefully
Is it possible to merge two session?
Handle session ID after deleting cookies
Deleting session deletes all my sessions
How to block multiple logins of the same user