[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Is it possible to create a new Session ID using session.inva

jbosstak Fri, 02 Nov 2007 03:21:09 -0800

For the following code?I was able to create a new Session ID under Tomcat5.5.
However, Session ID was the same under JBoss4.21GA.


 session = request.getSession(true);
  |  out.println("session id=" + session.getId());
  | 
  |  request.getSession(true).invalidate();
  |  session = request.getSession(true);
  |  out.println("session id=" + session.getId());


To prevent Session Fixation Attack , I hope to create a new Session ID after 
the Login process.

If it is possible, could you please tell me the way ?

Thank you.


View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4101250#4101250

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4101250
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user

[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Is it possible to create a new Session ID using session.inva

Reply via email to