• Post Reply Bookmark Topic Watch Topic
  • New Topic

resetting session id  RSS feed

 
Scott Branchini
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am in the process of solving a session fixation problem and I was wondering if there is any way to reset a session id without losing all of the session information. I have access to the session id through the session.getId() function call in the servlet. Is there any possible way to do this without invalidating the entire session? If not, are there any other possible ways of solving session fixation while keeping session information in tact?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You could pull all of the session information into a map, reset the session, and then add the map data to the new session.
The getAttributeNames method would allow you to get all of them.

May I ask why you need to do this?
 
Scott Branchini
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It is for session fixation, where someone can falsify a session and steal personal information about a user. I am trying to make sure that the login process of the web site is secure where when a user logs in, a new session will be generated and any session that is set up by an attacker (if it exists) will be invalidated.

Do you know any other ways to accomlish the same goal or would this be the easiest and most straightforward way?
 
Alec Lee
Ranch Hand
Posts: 569
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Scott,

This is interesting. Are you suggesting an intruder knowing the session ID of another user trying to create a JESSIONID cookie in his own browser with that session ID? But I don't understand how an intruder can know the session ID of someone else in the first place and how your solution could prevent such a problem.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Scott Branchini:

Do you know any other ways to accomlish the same goal or would this be the easiest and most straightforward way?


Yes, SSL.
A lot of people spent a lot of time working this out for you.
All you need to do is use it.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!