Win a copy of Java 9 Revealed this week in the Features new in Java 9 forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Changing the session id on Login  RSS feed

Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

I want to change the session id of the user when he logs in to the application to prevent against session fixation . I have tried below with no luck -

1. Invalidate the session before log in by session.invalidate()- this results in side effects since we have many session scoped components which cannot be ignored on log in
2. Use valve to invalidate session - again this resulted in lot of side effects due to session scoped components

So, just looking for a way to change the session id instead of invalidate the old session. I think this can be achieved in latest tomcat version by calling ManagerBase.changeSesionId() , but unfortunately I am running with old JBoss

Any help is highly appreciated.

Prashant Chotu
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. You can use the below utility function. This invalidates existing session and create a new session copied all the attributes except JSESSIONID from the existing session.

public static def invalidateExistingSessionAndCreateNewSession(def session, def request){
def sessionAttributes = session.attributeNames
def map = new HashMap()
def attributeName
while (sessionAttributes.hasMoreElements()){
attributeName = sessionAttributes.nextElement()
map.put(attributeName, session.getValue(attributeName))
session = request.getSession(true)
Set entrySet = map.entrySet()
Map.Entry entry
for(Iterator i = entrySet.iterator();i.hasNext();){
entry = (Map.Entry);
return session

2. If you make use of Valve in Context, then I think the session gets renamed. Its existing attributes do not get destroyed.

Prashant Gupta
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!