Generate new session ID in Java EE?
Is there a Java EE equivalent to PHP’s session_regenerate_id()? I’d expect to find it in the neighborhood of HttpSession but don’t.
I like to change the session token whenever there’s a change in a user’s privileges. For example, let’s say that Suzy is surfing a site anonymously for a while before she logs in. As an anonymous user, she has pretty low privileges. Then when she logs in, she has greater privileges on the system. Maybe she can view her home address, update billing info, or heck: maybe she has administrative access. There has been a change in access level.
A problem arises when while surfing anonymously with low-level access, Suzy’s session ID is stolen by an attacker using cross-site scripting or session fixation. After Suzy logs in, the attacker now has the same increased privileges on the system that Suzy does, because the attacker has Suzy’s session ID.
One countermeasure to session fixation attacks is to change Suzy’s session ID whenever her privileges change. When she logs in, assign her a new session ID. When she logs out, assign her a new session ID. Each time Suzy gets a new session ID, the old session is invalidated and the attacker — who has the old session ID — is left with an useless (nonexistent) session.
PHP’s session_regenerate_id() does this transparently, copying over session data to the new session each time (although the implementation is not without its problems). The truly crazy can even do this on each request. If I’m not mistaken, ASP.NET 2.0 also offers a means to generate a new session ID, though maybe only with cookie-less sessions. Java EE does not appear to at all. Maybe some servlet containers do, but it’s not in the spec so far as I can see.
Yes, I can always create a new session and copy over all the attributes to the new session before invalidating the old one. No, it isn’t that hard. I’m just wondering if there isn’t a way for the container to do this instead. Anyone know?
01 Aug 2006 Sam
Hi Sam,
we are having the same problems here.
Do you know a solution now?
Ludwig
Nope, sorry. Just the tiresome, manual process of copying the session attributes over to the new session.
Hm.
We are using JBoss here and trying to force our webapp to generate a new session ID- doesn’t work:
// session.getID() is “foo”
session.invalidate();
req.getSession(true); // should create new session id
//session.getID() is “foo” again.
How do you generate a new session ID?,
You’re right, that creates a new session — that is, a new HttpSession object, but not a new session ID. Irritating. Nothing for you now, but I’ll keep looking. As I can tell from googling around, you’re still looking, too. :)
Sam,
yes, i am :-) It seems to be a very odd issue. The feedback I got so far is that this is by design although I haven’t found any specifics about that in the servlet specifications. We are working with JBoss. If the client does not support cookie based session tracking the code example above does indeed generate a new session ID. However, once cookie based session tracking is supported, the session ID is always the one submitted in the JSESSIONID-Cookie, with no regard to the invalidate() method called before.
[…] that this does not regenerate the session ID necessarily. Looking at the comment thread for this blog, it appears JBoss doesn’t regenerate the JSESSIONID using this code. I haven’t confirmed this […]
For jboss 4.2.x change emptySessionPath=false in server.xml seems to fix the problem. Not sure what are the side-effects of this change though
Hay guys,
I am facing the same problem in weblogic netui frame work.
Trying to generate the new session with following code.
getRequest().getSession(true);
but its giving the same id.. andy body know how to solve this isue pls reply..
Thanks Ritesh,
“emptySessionPath=false in server.xml” fixed my problem of session.invalidate() not resulting in a new session id. I’ve not notcied any adverse side effects yet.
It’s getting weird guys, it’s 2011 and still nothing (as far as I can tell). I’m looking for a solution to this problem for almost 2 months but “nada”…
Using plain JSF, I could do a manual logout and log back in every time a user tried to log in order to renew the session ID.
But with icefaces, you can’t logout and log back in programmatically, as the invalidateSession() method throws a SessionExpiredException……………
getSession().invalidate(); This gives you new session Id