Comments on: Generate new session ID in Java EE? http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/ Sam Buchanan's weblog Fri, 11 Sep 2009 21:36:51 -0400 http://wordpress.org/?v=2.8.4 hourly 1 By: Ritesh Tendulkar http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-28227 Ritesh Tendulkar Fri, 20 Mar 2009 16:27:37 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-28227 For jboss 4.2.x change emptySessionPath=false in server.xml seems to fix the problem. Not sure what are the side-effects of this change though For jboss 4.2.x change emptySessionPath=false in server.xml seems to fix the problem. Not sure what are the side-effects of this change though

]]> By: Preventing Session Fixation through Session ID Regeneration in Java and ASP.NET - KeepItLocked.net http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-28016 Preventing Session Fixation through Session ID Regeneration in Java and ASP.NET - KeepItLocked.net Tue, 24 Feb 2009 19:15:25 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-28016 [...] that this does not regenerate the session ID necessarily. Looking at the comment thread for this blog, it appears JBoss doesn't regenerate the JSESSIONID using this code. I haven't confirmed this [...] [...] that this does not regenerate the session ID necessarily. Looking at the comment thread for this blog, it appears JBoss doesn’t regenerate the JSESSIONID using this code. I haven’t confirmed this [...]

]]> By: Ludwig http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-10218 Ludwig Thu, 31 May 2007 13:37:53 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-10218 Sam, yes, i am :-) It seems to be a very odd issue. The feedback I got so far is that this is by design although I haven't found any specifics about that in the servlet specifications. We are working with JBoss. If the client does not support cookie based session tracking the code example above does indeed generate a new session ID. However, once cookie based session tracking is supported, the session ID is always the one submitted in the JSESSIONID-Cookie, with no regard to the invalidate() method called before. Sam,
yes, i am :-) It seems to be a very odd issue. The feedback I got so far is that this is by design although I haven’t found any specifics about that in the servlet specifications. We are working with JBoss. If the client does not support cookie based session tracking the code example above does indeed generate a new session ID. However, once cookie based session tracking is supported, the session ID is always the one submitted in the JSESSIONID-Cookie, with no regard to the invalidate() method called before.

]]> By: Sam http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-10100 Sam Tue, 29 May 2007 17:32:16 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-10100 You're right, that creates a new session -- that is, a new HttpSession object, but not a new session ID. Irritating. Nothing for you now, but I'll keep looking. As I can tell from googling around, you're still looking, too. :) You’re right, that creates a new session — that is, a new HttpSession object, but not a new session ID. Irritating. Nothing for you now, but I’ll keep looking. As I can tell from googling around, you’re still looking, too. :)

]]> By: Ludwig http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-9646 Ludwig Tue, 22 May 2007 12:42:36 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-9646 Hm. We are using JBoss here and trying to force our webapp to generate a new session ID- doesn't work: // session.getID() is "foo" session.invalidate(); req.getSession(true); // should create new session id //session.getID() is "foo" again. How do you generate a new session ID?, Hm.
We are using JBoss here and trying to force our webapp to generate a new session ID- doesn’t work:
// session.getID() is “foo”
session.invalidate();
req.getSession(true); // should create new session id
//session.getID() is “foo” again.

How do you generate a new session ID?,

]]> By: Sam http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-9596 Sam Mon, 21 May 2007 12:41:37 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-9596 Nope, sorry. Just the tiresome, manual process of copying the session attributes over to the new session. Nope, sorry. Just the tiresome, manual process of copying the session attributes over to the new session.

]]> By: Ludwig http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-9578 Ludwig Mon, 21 May 2007 08:55:26 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-9578 Hi Sam, we are having the same problems here. Do you know a solution now? Ludwig Hi Sam,
we are having the same problems here.
Do you know a solution now?

Ludwig

]]>