Twomey, Sean wrote: > Our application has just recently integrated acegi as our security > framework. However we now have a requirement to change the session > identifier (JSESSIONID) after a successful login, since this session id is > issued at/before the login page, and is thus prone to session fixation > attack. > > I had thought of subclassing the AuthenticationProcessingFilter class's > onSuccessfulAuthentication(..) method to invalidate the old HttpSession and > create new one. Will this cause any issues? Or is there an alternative, and > perhaps cleaner way of implementing the requirement that I have outlined?
Hi Sean Most people simply use the channel security capabilities so JSESSIONID is only ever sent over HTTPS, thus avoiding the need to modify the session ID. If you do need to modify session ID, you'll need to find a way of preserving the behaviour of HttpSessionContextIntegrationFilter and also preserving the authenticated identity. HTTPS is probably easier (and safer, too). Cheers Ben ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
