Revision history [back]

click to hide/show revision 1
initial version

asked 2009-11-05 06:52:14 +0800

mixgho gravatar image mixgho

RENEW_NATIVE_SESSION session fixation problem

Hi, I'm trying to use org.zkoss.zk.ui.impl.Attributes.RENEWNATIVESESSION to prevent session fixation problem. I've done everything according to the javadoc, but it's not working.

This should prevent session from being destroyed in HttpSessionListener, but it's destroyed anyway when onInvalidate is invoked. When I invoke onShowId later, the logout page is showed.

public class Composer extends GenericForwardComposer {
    private static final long serialVersionUID = -8991512099359923637L;

    private static final Logger sLog = Logger.getLogger(Composer.class);

    @Override
    public void doAfterCompose(Component aComp) throws Exception {
        super.doAfterCompose(aComp);
        HttpSession httpSession = (HttpSession) session.getNativeSession();
        sLog.info("old id: " + httpSession .getId());
        session.setAttribute(RENEW_NATIVE_SESSION, Boolean.TRUE);
    }

    public void onInvalidate(Event aEvent) {
        session.invalidate();
    }

    public void onShowId(Event aEvent) {
        HttpSession httpSession  = (HttpSession) session.getNativeSession();
        sLog.info("new id: " + httpSession .getId());
        session.removeAttribute(RENEW_NATIVE_SESSION);
    }
}

I've tried setting RENEWNATIVESESSION attribute on httpSession instead of zkoss session and I've also tried invalidating httpSession, but with no luck. Behaves the same all the time :(

Can anybody please point me in the right direction?

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More