So one more from me today - I'm a little perplexed on session invalidation.
In common with general security best practice on HTTP, we invalidate the session ID obtained during initial logon and create a new one for the auth'd and logged on user. This helps prevent session sniffing and spoofing because the initial session ID can become visible and disclosed. While updating to newer Felix HTTP Jetty the session ID never seems to get invalidated. We always seem to get the same ID back even after we try and invalidate Digging into the code of HttpSessionWrapper shows that the Jetty delegate invalidate never gets called. Here's where it gets weird though. It looks like a mod was committed by Carsten on 29/3/2018 to explicitly remove the delegate invalidate quiet recently SHA-1: f86428f2689e62aafe750d1905fff4f5136ab67e * FELIX-5819 : Container session should not be invalidated git-svn-id: https://svn.apache.org/repos/asf/felix/trunk@1827956 13f79535-47bb-0310-9956-ffa450edef68 At which point I get thoroughly confused! Clearly there must be something I'm missing ---- Rob Walker [cid:[email protected]] www.ascert.com [email protected] SA +27 21 300 2028 UK +44 20 7488 3470 ext 5119
