Hi, reposting this issue, please direct me to the right group if I am wrong here :-) Can anyone help on the issue below?
Thanks, Ludwig -----Ursprüngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Ludwig Adam Gesendet: Mittwoch, 16. Mai 2007 18:29 An: jboss-user@lists.jboss.org Betreff: *SPAM* [jboss-user] Session fixation / getSession(true) does not createnew SessionID Hi group, we are currently looking for ways to improve the security in our web applications to prevent session fixation. We are looking for ways to generate a new session ID after an user has been authenticated. This is our scenario: - The webapplication contains public and private content - public content is available by http, private/restricted content is only available by https - If the user is logging in, communication is done only by https We now want to generate a new session ID for the user session once he has authenticated in order to prevent session fixation / session hijacking (e.g. if chuck sniffes the http - communication / user doesn't use cookies and publishes a link with ;jsessionid-parameter). The solutions found so far suggested all a HttpServletRequest.getSession(true) after an invalidation: if (session.isNew()) { session.invalidate(); // Invalidate old Session session= request.getSession(true); // Create new Session ID } However running this code on JBoss does not show the expected beheaviour, no new session id is created. System.out.println(session.getID()); // Prints "Foo" session.invalidate(); // Invalidate old Session session= request.getSession(true); // Should create new SessionID System.out.println(session.getID()); // Prints "Foo" again. Any hints how we can work around this issue or what we are doing wrong here are greatly appreciated. Thanks, Ludwig _______________________________________________ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user _______________________________________________ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user