Hi
all,
Our application has
just recently integrated acegi as our security framework. However
we now have a requirement to change the session
identifier (JSESSIONID) after a successful
login, since this session id is issued at/before the
login page, and is thus prone to session fixation attack.
I
had thought of subclassing the AuthenticationProcessingFilter
class's onSuccessfulAuthentication(..) method to invalidate the
old HttpSession and create new one. Will this cause any issues? Or is there an
alternative, and perhaps cleaner way of implementing the requirement that I have
outlined?
Thanks in
advance,
-
Sean
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
