I've inherited a pretty ancient JSP application (JDK 1.3.1_15) and am attempting to plug a session fixation hole.
I'm successfully invalidating the current session after authentication using HttpSession.invalidate()
however when the new session is created, the old session ID is re-used.
<%
// login.jsp
if (authenticated) {
request.getSession().invalidate();
// create new session and store data
HttpSession session = request.getSession();
session.putValue(...);
// etc
response.sendRedirect("logged-in.jsp");
return;
}
%>
I can see the new session assignment in my HTTP monitor, it's just using the same number again.
-- Initial request response --
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=6a303082951311647336934;path=/
-- login.jsp request response --
HTTP/1.1 302 Moved Temporarily
Location: http://example.com/logged-in.jsp
Set-Cookie: JSESSIONID=6a303082951311647336934;path=/
Prior to me using session.invalidate()
the second Set-Cookie
response header was not present at all.
Does anybody have any advice on how to generate a new session ID? I'm not very familiar with JRUN4 but trawling through the configuration documentation hasn't turned up anything.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…