-
FEATURED COMPONENTS
First time here? Check out the FAQ!
Hi, I'm trying to use org.zkoss.zk.ui.impl.Attributes.RENEW_NATIVE_SESSION to prevent session fixation problem.
I've done everything according to the javadoc, but it's not working.
This should prevent session from being destroyed in HttpSessionListener, but it's destroyed anyway when onInvalidate is invoked. When I invoke onShowId later, the logout page is showed.
public class Composer extends GenericForwardComposer { private static final long serialVersionUID = -8991512099359923637L; private static final Logger sLog = Logger.getLogger(Composer.class); @Override public void doAfterCompose(Component aComp) throws Exception { super.doAfterCompose(aComp); HttpSession httpSession = (HttpSession) session.getNativeSession(); sLog.info("old id: " + httpSession .getId()); session.setAttribute(RENEW_NATIVE_SESSION, Boolean.TRUE); } public void onInvalidate(Event aEvent) { session.invalidate(); } public void onShowId(Event aEvent) { HttpSession httpSession = (HttpSession) session.getNativeSession(); sLog.info("new id: " + httpSession .getId()); session.removeAttribute(RENEW_NATIVE_SESSION); } }
I've tried setting RENEW_NATIVE_SESSION attribute on httpSession instead of zkoss session and I've also tried invalidating httpSession, but with no luck. Behaves the same all the time :(
Can anybody please point me in the right direction?
@mixgho
Hi mixgho, are you sure you are invalidate a HttpSession in onInvalidate() method ? Because there is a description in
org.zkoss.zk.ui.impl.Attributes.RENEW_NATIVE_SESSION API, "A session attribute used to denote that the invalidation of a
native session (such as HttpSession and PortletSession) does not invalidate ZK session."
Maybe you can try this...
public void onInvalidate(Event aEvent) { HttpSession httpSession = (HttpSession) session.getNativeSession(); httpSession.invalidate(); }
Regards
/Joy
Yes, as I mentioned, I tried setting the parameter and invalidating the underlying httpSession but It has no effect, I'm still redirected to the timeout page :(
Session Fixation is a big security risk. I could throw away the whole zkoss session and use my own, but I'd rather use the "native" ZKoss way!
@mixgho
I had checked this problem and build a sample for you.
Java code
private void renewHttpSession(HttpServletRequest request) { HttpSession htSess = request.getSession(); htSess.setAttribute(Attributes.RENEW_NATIVE_SESSION, Boolean.TRUE); System.out.println("old id: " + htSess.getId()); // session content replication... Enumeration names = htSess.getAttributeNames(); HashMap<String, Object> map = new HashMap<String, Object>(); while (names.hasMoreElements()) { String name = (String) names.nextElement(); map.put(name, htSess.getAttribute(name)); } htSess.invalidate();// kill session // restore content to new session. htSess = request.getSession(); for (Entry<String, Object> entry : map.entrySet()) { htSess.setAttribute(entry.getKey(), entry.getValue()); } httpSession = htSess; System.out.println("new id: " + htSess.getId()); }
I'm sure the HttpSession will changed, you can try it.
Regards
/Joy
Thank you very much! This code works perfectly, I don't know what I was doing wrong before, because my code looks pretty much the same.
And in addition I didn't know that on JBoss you have to turn off (switch to Tomcat default value false) the emptySessionPath attribute in deploy/jboss-web.deployer/server.xml otherwise JBoss recreates the session with the same id :(
Thanks again!
This solution wrong with me: java.lang.IllegalStateException: getAttribute: Session already invalidated org.apache.catalina.session.StandardSession.getAttribute(StandardSession.java:1197)
Can anyone help?
Asked: 2009-11-05 06:52:14 +0800
Seen: 1,143 times
Last updated: Jan 07 '20