Hi all,
I hope to be on the good place
I'm using jetty felix bundle (org.apache.felix.http.jetty-2.3.2.jar).
So I have a simple Servlet with login page.
For security purpose, I would like to renew the session id value after
authenticate step.
(why session id should be refreshed : cf [1] )
I was thinking that just invalidate the current session will do the
job..[2]
but for me this is not the case:
HttpSession existingSession = request.getSession(false);
if (existingSession != null) {
existingSession.invalidate();
}
HttpSession newSession = request.getSession(true);
Out of error, in my case existingSession id and newSession id are the
same...
Into the felix jetty documentation [3], there is no such option to do that.
- How to do that ?
- Maybe there is a way to obtain Jetty session manager from my app bundle ?
(if relevant, please point me the issue or issue tracker associated to
felix jetty bundle)
In advance thanks.
Regards
Brice
references:
[1]
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change
[2]
http://stackoverflow.com/questions/2311429/httpservletrequest-create-new-session-change-session-id
[3]
http://felix.apache.org/documentation/subprojects/apache-felix-http-service.html#configuration-properties
