0

RENEW_NATIVE_SESSION session fixation problem

asked 2009-11-05 06:52:14 +0800

mixgho gravatar image mixgho
193 3

updated 2009-11-05 07:06:23 +0800

Hi, I'm trying to use org.zkoss.zk.ui.impl.Attributes.RENEW_NATIVE_SESSION to prevent session fixation problem.
I've done everything according to the javadoc, but it's not working.

This should prevent session from being destroyed in HttpSessionListener, but it's destroyed anyway when onInvalidate is invoked. When I invoke onShowId later, the logout page is showed.

public class Composer extends GenericForwardComposer {
	private static final long serialVersionUID = -8991512099359923637L;

	private static final Logger sLog = Logger.getLogger(Composer.class);

	@Override
	public void doAfterCompose(Component aComp) throws Exception {
		super.doAfterCompose(aComp);
		HttpSession httpSession = (HttpSession) session.getNativeSession();
		sLog.info("old id: " + httpSession .getId());
		session.setAttribute(RENEW_NATIVE_SESSION, Boolean.TRUE);
	}

	public void onInvalidate(Event aEvent) {
		session.invalidate();
	}

	public void onShowId(Event aEvent) {
		HttpSession httpSession  = (HttpSession) session.getNativeSession();
		sLog.info("new id: " + httpSession .getId());
		session.removeAttribute(RENEW_NATIVE_SESSION);
	}
}

I've tried setting RENEW_NATIVE_SESSION attribute on httpSession instead of zkoss session and I've also tried invalidating httpSession, but with no luck. Behaves the same all the time :(

Can anybody please point me in the right direction?

delete flag offensive retag edit

7 Replies

Sort by ยป oldest newest

answered 2009-11-05 19:25:23 +0800

joylo0122 gravatar image joylo0122
688 1
www.zkoss.org

@mixgho

Hi mixgho, are you sure you are invalidate a HttpSession in onInvalidate() method ? Because there is a description in
org.zkoss.zk.ui.impl.Attributes.RENEW_NATIVE_SESSION API, "A session attribute used to denote that the invalidation of a
native session (such as HttpSession and PortletSession) does not invalidate ZK session."

Maybe you can try this...

        public void onInvalidate(Event aEvent) {
                HttpSession httpSession = (HttpSession) session.getNativeSession();
		httpSession.invalidate();
	}

Regards
/Joy

link publish delete flag offensive edit

answered 2009-11-06 01:36:47 +0800

mixgho gravatar image mixgho
193 3

Yes, as I mentioned, I tried setting the parameter and invalidating the underlying httpSession but It has no effect, I'm still redirected to the timeout page :(

Session Fixation is a big security risk. I could throw away the whole zkoss session and use my own, but I'd rather use the "native" ZKoss way!

link publish delete flag offensive edit

answered 2009-11-06 04:50:46 +0800

joylo0122 gravatar image joylo0122
688 1
www.zkoss.org

@mixgho

I had checked this problem and build a sample for you.

Java code

private void renewHttpSession(HttpServletRequest request) {
		HttpSession htSess = request.getSession();
		htSess.setAttribute(Attributes.RENEW_NATIVE_SESSION, Boolean.TRUE);
		System.out.println("old id: " + htSess.getId());
		// session content replication...
		Enumeration names = htSess.getAttributeNames();
		HashMap<String, Object> map = new HashMap<String, Object>();
		while (names.hasMoreElements()) {
			String name = (String) names.nextElement();
			map.put(name, htSess.getAttribute(name));
		}
		htSess.invalidate();// kill session

		// restore content to new session.
		htSess = request.getSession();
		for (Entry<String, Object> entry : map.entrySet()) {
			htSess.setAttribute(entry.getKey(), entry.getValue());
		}
		httpSession = htSess;
		System.out.println("new id: " + htSess.getId());
	}

I'm sure the HttpSession will changed, you can try it.

Regards
/Joy

link publish delete flag offensive edit

answered 2009-11-06 07:01:27 +0800

mixgho gravatar image mixgho
193 3

Thank you very much! This code works perfectly, I don't know what I was doing wrong before, because my code looks pretty much the same.
And in addition I didn't know that on JBoss you have to turn off (switch to Tomcat default value false) the emptySessionPath attribute in deploy/jboss-web.deployer/server.xml otherwise JBoss recreates the session with the same id :(

Thanks again!

link publish delete flag offensive edit

answered 2018-09-27 21:36:04 +0800

thanhhaibka gravatar image thanhhaibka
1

This solution wrong with me: java.lang.IllegalStateException: getAttribute: Session already invalidated org.apache.catalina.session.StandardSession.getAttribute(StandardSession.java:1197)

Can anyone help?

link publish delete flag offensive edit

answered 2019-07-10 20:47:53 +0800

xuesong gravatar image xuesong
101 2

@joylo0122 it do not work

link publish delete flag offensive edit

answered 2020-01-07 18:40:37 +0800

Konditor gravatar image Konditor
1

Hello, with Java EE 7 a new SessionId can be created via a method:

HttpServletRequest.changeSessionId();

After that, nothing else is necessary.

link publish delete flag offensive edit
Your reply
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow

RSS

Stats

Asked: 2009-11-05 06:52:14 +0800

Seen: 1,143 times

Last updated: Jan 07 '20

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More