how to refresh JSESSIONID cookie after login

tomcat login session-cookies jsessionid
Nathan Beach picture Nathan Beach · Nov 17, 2011 · Viewed 42.6k times · Source

A product I work on got a tough security audit by a potential customer and they are upset that Tomcat sets a JSESSIONID cookie before authentication has happened. That is, Tomcat sets this cookie when our stateless Login Page loads, but before login.

They suggest either of the following:

  1. issue a new JSESSIONID cookie after login
  2. prevent a JSESSIONID cookie from being set in the first place on the Login Page (i.e., before authentication has happened)

I have been poring through everything JSESSIONID-related on this site and can find no easy answer. I'm just hoping for some ideas. My best solutions for each are:

  1. right after login, clone the Session (minus the id) by copying all the attributes, invalidating the old session, creating a new one, copying the values, associating it with the request, and hoping that works.
  2. create a servlet Filter at the very end of the chain that strips out the JSESSIONID cookie before the Login Page is initially loaded. And then hope the login request works out without a JSESSIONID set.

I've got to get some sleep, but will be attempting these in the morning. It would be awesome to get some feedback or better suggestions from people much smarter than myself -- like you!

Regardless, I'll post my results here because it seems like a lot of other people have been wanting to do something similar.

Answer

cherouvim picture cherouvim · Nov 17, 2011

You will not refresh after but just before. When executing the login action first do:

HttpSession session = request.getSession(false);
if (session!=null && !session.isNew()) {
    session.invalidate();
}

Then do:

HttpSession session = request.getSession(true); // create the session
// do the login (store the user in the session, or whatever)

FYI what you are solving with this trick is http://www.owasp.org/index.php/Session_Fixation

Lastly you can disable automatic session creation and only create the session when you really need it. If you use JSP you do that by:

<%@page contentType="text/html"
        pageEncoding="UTF-8"
        session="false"%>

Related questions

I'm not able to log in Tomcat Manager App

I have read a lot of topics in stackoverflow for solve my problem, but none was useful. When I tried to log in Manager App ([http://localhost:8080/manager/html][1]) using a lot of different configurations, but I always obtained 401 Unauthorized …

Read More
How to deploy a war file in Tomcat 7

I have copied the sample.war file into the webapps directory of Tomcat, and I can access localhost:8080. Now how will Tomcat deploy it, I mean do I need to open it in browser? How can I access the application?

Read More
Several ports (8005, 8080, 8009) required by Tomcat Server at localhost are already in use

I'm getting the following error when I try to run a simple JSP program on Tomcat in Eclipse. Several ports (8005, 8080, 8009) required by Tomcat v6.0 Server at localhost are already in use. The server may already be running in another process, …

Read More