Hello, OWASP has compiled a "top 10" vulnerablilities for web applications.
One suggestion against session hijacking was the following: Start a new HTTP-Session after a successful login: "Consider regenerating a new session upon successful authentication or privilege level change." http://www.owasp.org/index.php/Top_10_2007-A7 Does anybody have a suggestion how to implement this with seam? Are there any votes for a change request? I have thought of invalidating the current HTTP session, creating a new one and copying all elements from the old session to the new session. But Seam 2.0.0 doesn't allow this: When I use the lowlevel functions this is blocked by IllegalStateException("Please end the HttpSession via Seam.invalidateSession()") in Lifecyle When I use Seam.invalidateSession(), the session is only destroyed at the end of the request and I am unable to copy any objects. Thanks, Alexander. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4116276#4116276 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4116276 _______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
