Comments on: Generate new session ID in Java EE? http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/ Sam Buchanan's weblog Mon, 14 Nov 2011 13:06:58 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: thereddevil http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-30626 thereddevil Wed, 12 Jan 2011 12:54:42 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-30626 It's getting weird guys, it's 2011 and still nothing (as far as I can tell). I'm looking for a solution to this problem for almost 2 months but "nada"... Using plain JSF, I could do a manual logout and log back in every time a user tried to log in order to renew the session ID. But with icefaces, you can't logout and log back in programmatically, as the invalidateSession() method throws a SessionExpiredException............... It’s getting weird guys, it’s 2011 and still nothing (as far as I can tell). I’m looking for a solution to this problem for almost 2 months but “nada”…

Using plain JSF, I could do a manual logout and log back in every time a user tried to log in order to renew the session ID.
But with icefaces, you can’t logout and log back in programmatically, as the invalidateSession() method throws a SessionExpiredException……………

]]> By: Suresh http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-29432 Suresh Tue, 08 Dec 2009 15:16:00 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-29432 Thanks Ritesh, "emptySessionPath=false in server.xml" fixed my problem of session.invalidate() not resulting in a new session id. I've not notcied any adverse side effects yet. Thanks Ritesh,

“emptySessionPath=false in server.xml” fixed my problem of session.invalidate() not resulting in a new session id. I’ve not notcied any adverse side effects yet.

]]> By: kiran http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-29381 kiran Thu, 05 Nov 2009 06:15:41 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-29381 Hay guys, I am facing the same problem in weblogic netui frame work. Trying to generate the new session with following code. getRequest().getSession(true); but its giving the same id.. andy body know how to solve this isue pls reply.. Hay guys,

I am facing the same problem in weblogic netui frame work.

Trying to generate the new session with following code.

getRequest().getSession(true);

but its giving the same id.. andy body know how to solve this isue pls reply..

]]> By: Ritesh Tendulkar http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-28227 Ritesh Tendulkar Fri, 20 Mar 2009 16:27:37 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-28227 For jboss 4.2.x change emptySessionPath=false in server.xml seems to fix the problem. Not sure what are the side-effects of this change though For jboss 4.2.x change emptySessionPath=false in server.xml seems to fix the problem. Not sure what are the side-effects of this change though

]]> By: Preventing Session Fixation through Session ID Regeneration in Java and ASP.NET - KeepItLocked.net http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-28016 Preventing Session Fixation through Session ID Regeneration in Java and ASP.NET - KeepItLocked.net Tue, 24 Feb 2009 19:15:25 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-28016 [...] that this does not regenerate the session ID necessarily. Looking at the comment thread for this blog, it appears JBoss doesn't regenerate the JSESSIONID using this code. I haven't confirmed this [...] [...] that this does not regenerate the session ID necessarily. Looking at the comment thread for this blog, it appears JBoss doesn’t regenerate the JSESSIONID using this code. I haven’t confirmed this [...]

]]> By: Ludwig http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-10218 Ludwig Thu, 31 May 2007 13:37:53 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-10218 Sam, yes, i am :-) It seems to be a very odd issue. The feedback I got so far is that this is by design although I haven't found any specifics about that in the servlet specifications. We are working with JBoss. If the client does not support cookie based session tracking the code example above does indeed generate a new session ID. However, once cookie based session tracking is supported, the session ID is always the one submitted in the JSESSIONID-Cookie, with no regard to the invalidate() method called before. Sam,
yes, i am :-) It seems to be a very odd issue. The feedback I got so far is that this is by design although I haven’t found any specifics about that in the servlet specifications. We are working with JBoss. If the client does not support cookie based session tracking the code example above does indeed generate a new session ID. However, once cookie based session tracking is supported, the session ID is always the one submitted in the JSESSIONID-Cookie, with no regard to the invalidate() method called before.

]]> By: Sam http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-10100 Sam Tue, 29 May 2007 17:32:16 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-10100 You're right, that creates a new session -- that is, a new HttpSession object, but not a new session ID. Irritating. Nothing for you now, but I'll keep looking. As I can tell from googling around, you're still looking, too. :) You’re right, that creates a new session — that is, a new HttpSession object, but not a new session ID. Irritating. Nothing for you now, but I’ll keep looking. As I can tell from googling around, you’re still looking, too. :)

]]> By: Ludwig http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-9646 Ludwig Tue, 22 May 2007 12:42:36 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-9646 Hm. We are using JBoss here and trying to force our webapp to generate a new session ID- doesn't work: // session.getID() is "foo" session.invalidate(); req.getSession(true); // should create new session id //session.getID() is "foo" again. How do you generate a new session ID?, Hm.
We are using JBoss here and trying to force our webapp to generate a new session ID- doesn’t work:
// session.getID() is “foo”
session.invalidate();
req.getSession(true); // should create new session id
//session.getID() is “foo” again.

How do you generate a new session ID?,

]]> By: Sam http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-9596 Sam Mon, 21 May 2007 12:41:37 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-9596 Nope, sorry. Just the tiresome, manual process of copying the session attributes over to the new session. Nope, sorry. Just the tiresome, manual process of copying the session attributes over to the new session.

]]> By: Ludwig http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/comment-page-1/#comment-9578 Ludwig Mon, 21 May 2007 08:55:26 +0000 http://afongen.com/blog/2006/08/01/generate-new-session-id-in-java-ee/#comment-9578 Hi Sam, we are having the same problems here. Do you know a solution now? Ludwig Hi Sam,
we are having the same problems here.
Do you know a solution now?

Ludwig

]]>