• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Bear Bibeault
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Jj Roberts
  • Carey Brown
Bartenders:
  • salvin francis
  • Frits Walraven
  • Piet Souris

Creating new session ids

 
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

Every time I log into my application, I want the session to have a new session id. Currently if I close and open the browser, I'll get a new session id or else the session id will be the same even tough I am invalidating the session while logging out. Is there any solution for this? I'm using JBoss as my application server.

Any help is highly appreciated.

Regards
Shenaz
 
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi shenaz,

Have you cheked the attribute values in the session after invalidating the session.

I don't think that after invalidating session you will have same session.

If your session is not invalidated then you would be able to retrieve the attribute values from the session.

Just double check..
 
Shenaz Assu
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We have a requirement to handle "Session Fixation". It has been adviced by the audit team to

Always generate a new session to which the user will log in if successfully authenticated.



Currently when I'm logging in from the same browser and the session id remains the same. Is that fine? Is it OK if I generate a new session with the same id? Will this solve my problem?
 
Shenaz Assu
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Dilip,

I checked. The session is getting invalidated and I'm getting the session attributes as null.

 
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Why do you need a new Session ID if the session it identified has been invalidated?
 
Dilip Mallik
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Then why you need a new session id.

is there any project requirement?
 
Ranch Hand
Posts: 104
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thats how our browsers behave.If you don't want to have this feature then close the current window and open new window.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic