Change session ID in Struts2 action

Asked Feb 22 '18 at 09:40

Active Feb 23 '18 at 02:45

Viewed 171 times

I need to change session ID to prevent session fixation.

I use below method to change session (like this):

public class LoginSupport extends ActionSupport {
    public void prepare() {
        final HttpServletRequest request = ServletActionContext.getRequest();
        request.getSession().invalidate();

        // generate new session (and id)
        final HttpSession newSession = request.getSession();
    }
}

However, Struts2 threw the below exception after invoking the above action:

java.lang.IllegalStateException: getAttribute: Session already invalidated
    at org.apache.catalina.session.StandardSession.getAttribute(StandardSession.java:1011)
    at org.apache.catalina.session.StandardSessionFacade.getAttribute(StandardSessionFacade.java:109)
    at org.apache.struts2.dispatcher.SessionMap.get(SessionMap.java:161)

Clearly, it is still attempting to access the attribute map of the previous session. How do I let Struts2 know that it should refresh its internal session map?

edited Feb 23 '18 at 02:45

Roman C

49,761
33
66
176

asked Feb 22 '18 at 09:40

Mapa

@vanje All images are removed – Mapa Feb 22 '18 at 09:52

Change session ID in Struts2 action

0 Answers0