Changing the session id on Login

Hi All,

I want to change the session id of the user when he logs in to the application to prevent against session fixation . I have tried below with no luck -

1. Invalidate the session before log in by session.invalidate()- this results in side effects since we have many session scoped components which cannot be ignored on log in
2. Use valve to invalidate session - again this resulted in lot of side effects due to session scoped components

So, just looking for a way to change the session id instead of invalidate the old session. I think this can be achieved in latest tomcat version by calling ManagerBase.changeSesionId() , but unfortunately I am running with old JBoss

Any help is highly appreciated.

Regards,
Joshua

1. You can use the below utility function. This invalidates existing session and create a new session copied all the attributes except JSESSIONID from the existing session.

public static def invalidateExistingSessionAndCreateNewSession(def session, def request){
def sessionAttributes = session.attributeNames
def map = new HashMap()
def attributeName
while (sessionAttributes.hasMoreElements()){
attributeName = sessionAttributes.nextElement()
if(!"JSESSIONID".equalsIgnoreCase(attributeName)){
map.put(attributeName, session.getValue(attributeName))
}
}
session.invalidate()
session = request.getSession(true)
Set entrySet = map.entrySet()
Map.Entry entry
for(Iterator i = entrySet.iterator();i.hasNext();){
entry = (Map.Entry)i.next();
session.setAttribute(entry.getKey(),entry.getValue())
}
return session
}

2. If you make use of Valve in Context, then I think the session gets renamed. Its existing attributes do not get destroyed.

Thanks,
Prashant Gupta