How to refresh JSESSIONID cookie after login?

You will not refresh after but just before. When executing the login action first do.

You will not refresh after but just before. When executing the login action first do: HttpSession session = request. GetSession(false); if (session!

=null &&!session.isNew()) { session.invalidate(); } Then do: HttpSession session = request. GetSession(true); // create the session // do the login (store the user in the session, or whatever) FYI what you are solving with this trick is owasp.org/index.php/Session_Fixation Lastly you can disable automatic session creation and only create the session when you really need it. If you use JSP you do that by.

Interesting stuff. I'm using Wicket 1.3, and I can't seem to find a way to set 'session=false' (the view side is not JSP-based). I'm going to try the getSession(false) idea now... thanks!

– Richardson Heights Nov 17 at 16:28 Invalidating the session before login is causing Wicket chaos (just keeps redirecting to the Login Page). Still messing with this... – Richardson Heights Nov 17 at 19:21 @RichardsonHeights: Have a look at issues.apache. Org/jira/browse/WICKET-1767 .

It seems documented and solved. – cherouvim Nov 18 at 3:56 Thanks for your help. I was able to back port that Wicket fix to the older version of Wicket we're running, and it basically solved the problem.It's opened some other problems in our legacy custom authentication scheme, but this should work for anyone using Wicket in general.

– Richardson Heights Nov 18 at 17:11.

I'm assuming it is the latter in your case. 1. Issue a new JSESSIONID cookie after login This is the default Tomcat behaviour if you switch from http to https at the time of login.

The old one is discarded and a new one is generated. If your login itself is over http, I guess that's another security issue for the auditors ;) Or are all your pages over https?

The problem is that the JSESSIONID cookie is set in the browser and visible in the Firefox cookie viewer (for example). As cherouvim points out above, it's the "session fixation" security hole. Interesting about the http/https switch... The app only runs over https, though.

– Richardson Heights Nov 17 at 16:21.

Two things I've found that might helpful to others. If you're using Apache Wicket, there is a solution for this after version 1.4. My app is still on 1.3, so I didn't realize, but I was able to back port it very easily in my own WebSession class. Wicket 1.4 adds a replaceSession() method to WebSession, which works great.

You can call it right after authentication and you'll get a new JSESSIONID. It basically solved this problem for me. More info here: https://issues.apache.

Org/jira/browse/WICKET-1767. There is a Apache Tomcat valve available after version 5.5.29 which you can add to context.xml.It will handle issuing a new JSESSIONID after authentication. More info is available here: https://issues.apache.

Org/bugzilla/show_bug. Cgi? Id=45255.

The entry for the valve would look like this.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.