0

How to Issue a new session token or session credentials upon successfully authenticating the user. I want to delete both the previous session token or credentials, as well as the server context associated with the previous session, whether the user has logged in or out.

After login I need a new jsession id to avoid session fixation attack.

Please help me out, any sample code.

Dev G
  • 1,387
  • 4
  • 26
  • 43

1 Answers1

0

If you invalidate the session once the user is authenticated, he won't be authenticated anymore. Why would you do that? I fail to see the point.

To invalidate the session after a logout, just use session.invalidate().

JB Nizet
  • 678,734
  • 91
  • 1,224
  • 1,255
  • Actually, not want to invalidate...After login I need a new jsession id to avoid session fixation attack. Also want to keep all session variables/attributes. – Dev G Oct 31 '11 at 09:51
  • Interesting (I didn't know the term session fixation attack). The solution seems simple, though : disable url rewriting and only use cookies : http://stackoverflow.com/questions/962729/is-it-possible-to-disable-jsessionid-in-tomcat-servlet. You could also add a custom cookie on login, and setup a filter that refuses requests from authenticated users which don't have this cookie with the appropriate value. – JB Nizet Oct 31 '11 at 10:55
  • my URL is not containing any jsessionid..session fixation is a security attack in which attacker can hijack the validated sessionid and do unauthorized transactions on behalf of victim. I got the solution, I need to store all existing session data and invalidate the existing session then create new session and add the data to it. – Dev G Nov 01 '11 at 03:14