Please help in implementing session fixation in java.
A countermeasure against session fixation is to generate a new session identifier (SID) on each request. Thus, although attacker may trick a user into accepting a known SID, the SID will be invalid when attacker attempts to re-use the SID. Implementation of such a system is simple, as demonstrated by the following:
� Get previous Session Identifier OLD_SID from HTTP request. � If OLD_SID is null, empty, or no session with SID=OLD_SID exists, create a New session. � Generate new session identifier NEW_SID with a secure random number generator. � Let session be identified by SID=NEW_SID (and no longer by SID=OLD_SID) � Transmit new SID to client.
You also keep the same session but include a request counter. eg in each request the person needs to increment the counter by one (which is done via the app, not manually by the client) and the number is also kept on the server side. If they disagree or get out of synch the session is discarded.
You will always be treated with dignity. Now, strip naked, get on the probulator and hold this tiny ad:
SKIP - a book about connecting industrious people with elderly land owners