felix-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brice Vandeputte <bvandeputte....@gmail.com>
Subject how to renew session id after login ?
Date Thu, 11 Dec 2014 14:05:59 GMT
Hi all,
 I hope to be on the good place
 I'm using jetty felix bundle (org.apache.felix.http.jetty-2.3.2.jar).

 So I have a simple Servlet with login page.
 For security purpose, I would like to renew the session id value after
authenticate step.
     (why session id should be refreshed : cf [1] )


 I was thinking that just invalidate the current session will do the
job..[2]
 but for me this is not the case:

        HttpSession existingSession = request.getSession(false);
        if (existingSession != null) {
            existingSession.invalidate();
        }
        HttpSession newSession = request.getSession(true);

Out of error, in my case existingSession id and newSession id are the
same...
Into the felix jetty documentation [3], there is no such option to do that.

- How to do that ?
- Maybe there is a way to obtain Jetty session manager from my app bundle ?

(if relevant, please point me the issue or issue tracker associated to
felix jetty bundle)
In advance thanks.
Regards
Brice


references:
[1]
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change
[2]
http://stackoverflow.com/questions/2311429/httpservletrequest-create-new-session-change-session-id
[3]
http://felix.apache.org/documentation/subprojects/apache-felix-http-service.html#configuration-properties

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message