shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Luke Biddell (JIRA)" <>
Subject [jira] [Commented] (SHIRO-170) Force New Session ID on Authentication
Date Mon, 28 May 2012 12:52:23 GMT


Luke Biddell commented on SHIRO-170:

+1 voting for this in the next release.

In the meantime I have hacked up the suggested fix by Les. I already have my own AuthenticationFilter
so I've rather cheekily overriden executeLogin and done this...

    protected boolean executeLogin(final ServletRequest request, final ServletResponse response)
throws Exception {
        final AuthenticationToken token = createToken(request, response);
        if (token == null) {
            String msg = "createToken method implementation returned null. A valid non-null
AuthenticationToken "
                    + "must be created in order to execute a login attempt.";
            throw new IllegalStateException(msg);
        try {
            // Stop session fixation issues.
            final Subject subject = getSubject(request, response);
            Session session = subject.getSession();
            // Store the attributes so we can copy them to the new session after auth.
            final LinkedHashMap<Object, Object> attributes = new LinkedHashMap<Object,
            final Collection<Object> keys = session.getAttributeKeys();
            for (Object key : keys) {
                final Object value = session.getAttribute(key);
                if (value != null) {
                    attributes.put(key, value);
            // Restore the attributes. 
            session = subject.getSession();
            for (final Object key : attributes.keySet()) {
                session.setAttribute(key, attributes.get(key));
            return onLoginSuccess(token, subject, request, response);
        } catch (AuthenticationException e) {
            return onLoginFailure(token, e, request, response);

Not ideal, but WFM right now.

> Force New Session ID on Authentication
> --------------------------------------
>                 Key: SHIRO-170
>                 URL:
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authentication (log-in), Configuration
>    Affects Versions: 1.0.0, 1.1.0, 1.2.0
>            Reporter: Jakob K├╝lzer
>            Priority: Minor
>             Fix For: 1.3.0
> I am working on an application that has very high security standards. One of the issues
raised after a full audit of the app is that it might be vulnerable for session fixation attacks.
Shiro does not reset the Session ID after successful authentication, which would prevent this
type of attack. 
> IMHO this would add another level of security to Shiro beneficial for all kinds of applications.

> OWASP has a good page on session fixation attacks:

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message