Hi All,
I want to change the session id of the user when he logs in to the application to prevent against session fixation . I have tried below with no luck -
1. Invalidate the session before log in by session.invalidate()- this results in side effects since we have many session scoped components which cannot be ignored on log in
2. Use valve to invalidate session - again this resulted in lot of side effects due to session scoped components
So, just looking for a way to
change the session id instead of invalidate the old session. I think this can be achieved in latest
tomcat version by calling ManagerBase.changeSesionId() , but unfortunately I am running with old
JBoss
Any help is highly appreciated.
Regards,
Joshua