[
https://issues.jboss.org/browse/JBSEAM-2450?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12743620#comment-12743620
]
ahus1 commented on JBSEAM-2450:
-------------------------------
Hello Ricardo,
the newSession() method needs to be called manually whenever you want to have a
new session ID.
I call it after a successful authentication of the user. If you are using Seam
and have a custom Authenticator, this will be a good place to call this method.
Best regards,
Alexander.
> OWASP / New Session after Login
> -------------------------------
>
> Key: JBSEAM-2450
> URL: https://issues.jboss.org/browse/JBSEAM-2450
> Project: Seam 2
> Issue Type: Feature Request
> Components: Security
> Affects Versions: 2.0.0.GA
> Environment: Linux 2.6, jetty 6.1.5 and tomcat 6, java 6
> Reporter: ahus1
> Assignee: Shane Bryzak
> Fix For: The future
>
> Attachments: NewSessionFilter.java, NewSessionFilter.java,
> NewSessionFilter.java, SessionFixationProtectionValve.java
>
>
> Hello,
> OWASP has compiled a "top 10" vulnerablilities for web applications.
> One suggestion against session hijacking was the following: Start a new
> HTTP-Session after a successful login:
> "Consider regenerating a new session upon successful authentication or
> privilege level change."
> http://www.owasp.org/index.php/Top_10_2007-A7
> Therefore there should be a (configurable?) switch to choose "continue with
> new session ID after successful log on"
> I have thought of invalidating the current HTTP session, creating a new one
> and copying all elements from the old session to the new session in my
> Authenticator. But Seam 2.0.0 doesn't allow this: When I use the lowlevel
> functions this is blocked by IllegalStateException("Please end the
> HttpSession via Seam.invalidateSession()") in Lifecyle. When I use
> Seam.invalidateSession(), the session is only destroyed at the end of the
> request and I am unable to copy any objects in my Authenticator as the new
> session doesn't exist yet.
> The workaround I have come up with is a filter, that destroys the complete
> session before the log in.
> This is not very elegant, but it works for me as I don't have i.e. a shoping
> basket that I'd like to preserve.
> A "nice" implementation in seam shouldn't have this limitation.
> [email protected] asked for this ticket to be assigned to her.
> The Java Class:
> Code:
> /**
> * This filter enforces a new session whenever there is a POST, should be
> mapped
> * to the URL of the login page in your web.xml
> * @author Alexander Schwartz 2007
> */
> public class NewSessionFilter implements Filter {
> private Log log = LogFactory.getLog(NewSessionFilter.class);
>
> private String url;
>
> public void destroy() {
> // empty.
> }
>
> public void doFilter(ServletRequest request, ServletResponse response,
> FilterChain chain) throws IOException, ServletException {
> if (request instanceof HttpServletRequest) {
> HttpServletRequest httpRequest = (HttpServletRequest) request;
> if (httpRequest.getMethod().equals("POST")
> && httpRequest.getSession() != null
> && !httpRequest.getSession().isNew()
> && httpRequest.getRequestURI().endsWith(url)) {
> httpRequest.getSession().invalidate();
> httpRequest.getSession(true);
> log.info("new Session:" + httpRequest.getSession().getId());
> }
> }
> chain.doFilter(request, response);
> }
>
> public void init(FilterConfig filterConfig) throws ServletException {
> url = filterConfig.getInitParameter("url");
> if (url == null) {
> throw new ServletException(
> "please specify parameter 'url' with login URL");
> }
> }
>
> }
>
> The web.xml:
> Code:
> <filter>
> <display-name>NewSessionFilter</display-name>
> <filter-name>NewSessionFilter</filter-name>
> <filter-class>
> NewSessionFilter
> </filter-class>
> <init-param>
> <param-name>url</param-name>
> <param-value>/iss/login.jsf</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>NewSessionFilter</filter-name>
> <servlet-name>Faces Servlet</servlet-name>
> <url-pattern>/iss/login.jsf</url-pattern>
> <dispatcher>REQUEST</dispatcher>
> </filter-mapping>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
seam-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/seam-issues
