1 2 Previous Next 27 Replies Latest reply on Aug 25, 2016 5:34 AM by jfclere Go to original post
      • 15. Re: Change of jsessionid after login
        endrigoantonini

        It works!!! Thank's man!!

         

        I think the author of the topic should make your post as the answer.

        • 16. Re: Change of jsessionid after login
          jfclere

          hm I think I screwed it: org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH=true should do the job too no?

          • 17. Re: Change of jsessionid after login
            matlach

            Are you suggesting Jean-Frederic of adding this property in standalone.xml ?

             

                <system-properties>

                    <property name="org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH" value="true"/>

                </system-properties>

             

            I think I'm facing the same issue even if this is defined.

             

            Thanks,

            • 18. Re: Change of jsessionid after login
              jfclere

              It works for me.

              I have tried a BASIC authentication I see the sessionid change after authentication (after visiting a page with a security-constraint) and programatic login.

              • 19. Re: Change of jsessionid after login
                bondchan921

                If I read the replies correct, the both solutions are for AS7, I have try at AS 4.2.3, both of them not worked,

                1)not having this method: FormAuthenticator.setChangeSessionIdOnAuthentication(true)

                2)not having the fields:

                Dorg.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH=true

                Dorg.apache.catalina.connector.Request.SESSION_ID_CHECK=true

                • 20. Re: Change of jsessionid after login
                  jfclere

                  It is for AS7.2.x

                  • 21. Re: Change of jsessionid after login
                    kanit_com

                    Any one can solve this issue on AS 4.2.3 ? , Mr.Bond Chan How can u solve issue with AS 4.2.3 .

                     

                     

                    Thank you for the answer.

                    • 22. Re: Change of jsessionid after login
                      jfclere

                      You can't (or you have to change several classes). Upgrade to a never version.

                      • 23. Re: Change of jsessionid after login
                        kanit_com

                        Thank you for your reply. By the way we will upgrade to newer version.

                        • 24. Re: Change of jsessionid after login
                          ilya.zinchuk

                          Dear Mathieu and Jean-Frederic, thanks a lot, worked indeed for AS 7.2.x

                          • 25. Re: Change of jsessionid after login
                            bob0jboss

                            I've managed to successfully change session id on authentication on JBoss 4.2.3 GA. Below is the code required to do this. Basically its a reimplementation of the missing methods that exist in future versions of JBoss.

                             

                            @Name("loginManager")

                            @Scope(ScopeType.CONVERSATION)

                            public class LoginManager extends Controller {

                             

                            @In(create = true)

                                Identity identity;

                             

                            public String login() throws LoginException {

                               .... custom login code...

                            }

                            @Observer(value="org.jboss.seam.security.loginSuccessful",create=false)

                                public void onLoginSuccessful() {

                                SessionData.changeSessionId();

                                }

                            }

                             

                            @Name("sessionData")

                            public class SessionData {

                             

                            public static String changeSessionId() {

                                  

                                    /*

                                     * this method adds missing functionality present in future versions of jboss (AS 7).

                                     * it reproduces the following piece of code taken from AuthenticatorBase.register(...),

                                     * assuming that 'changeSessionIdOnAuthentication' variable is set to true

                                     * http://www.docjar.com/html/api/org/apache/catalina/authenticator/AuthenticatorBase.java.html

                                     *

                                       if (session != null && changeSessionIdOnAuthentication) {

                                             Manager manager = request.getContext().getManager();

                                             manager.changeSessionId(session);

                                             request.changeSessionId(session.getId());

                                         }

                                     */

                                  

                                    HttpServletRequest httpServletRequest = ((HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest());

                                    HttpSession httpSession = httpServletRequest.getSession();

                                    String sessionId = httpSession.getId();

                                    System.out.println("Current SessionId: " + sessionId);

                                  

                                    try

                                    {

                                        // request.session

                                        Field sessionField = httpSession.getClass().getDeclaredField("session");

                                        sessionField.setAccessible(true);          

                                        StandardSession standardSession = (StandardSession) sessionField.get(httpSession);

                                      

                                        /*

                                         * replicate the missing method: ManagerBase.changeSessionId(Session session)

                                         * http://www.docjar.com/html/api/org/apache/catalina/session/ManagerBase.java.html

                                         */

                                      

                                        // session.manager

                                        Manager manager = standardSession.getManager();

                                      

                                        // manager.generateSessionId

                                        Method generateSessionIdMethod = ManagerBase.class.getDeclaredMethod("generateSessionId");

                                        generateSessionIdMethod.setAccessible(true);

                                      

                                        // change session id

                                        String newSessionId = (String) generateSessionIdMethod.invoke(manager);          

                                        standardSession.setId(newSessionId);

                                      

                                        /*

                                         * replicate the missing method: Request.changeSessionId(String newSessionId)

                                         * http://www.docjar.com/html/api/org/apache/catalina/connector/Request.java.html

                                         */

                                      

                                        RequestFacade requestFacade = (RequestFacade) ((ServletRequestWrapper) httpServletRequest).getRequest();

                                        Field requestField = RequestFacade.class.getDeclaredField("request");

                                        requestField.setAccessible(true);

                                      

                                        Request request = (Request) requestField.get(requestFacade);

                                      

                                        Response response = request.getResponse();

                                        Context context = request.getContext();

                                      

                                        if (response != null)

                                        {

                                              Cookie newCookie = new Cookie(Globals.SESSION_COOKIE_NAME, newSessionId);

                                              newCookie.setMaxAge(-1);

                                              String contextPath = null;

                                              if (!response.getConnector().getEmptySessionPath() && (context != null)) {

                                                  contextPath = context.getEncodedPath();

                                              }

                                              if ((contextPath != null) && (contextPath.length() > 0)) {

                                                  newCookie.setPath(contextPath);

                                              } else {

                                                  newCookie.setPath("/");

                                              }

                                              if (request.isSecure()) {

                                                  newCookie.setSecure(true);

                                              }

                                            

                                              response.addCookieInternal(newCookie);

                                        }

                                      

                                        System.out.println("New SessionId: " + newSessionId);          

                                        return newSessionId;

                                      

                                    } catch (IllegalArgumentException e) {

                                        e.printStackTrace();

                                    } catch (SecurityException e) {

                                        e.printStackTrace();

                                    } catch (IllegalAccessException e) {

                                        e.printStackTrace();

                                    } catch (NoSuchFieldException e) {

                                        e.printStackTrace();

                                    } catch (InvocationTargetException e) {

                                        e.printStackTrace();

                                    } catch (NoSuchMethodException e) {

                                        e.printStackTrace();

                                    }

                                  

                                    return sessionId;

                                }

                            }

                            • 26. Re: Change of jsessionid after login
                              kumar_jboss

                              Hi All,

                               

                              I have a security issue in the application, for this to fix I have to change JSESSIONID after user login, but this is not happening.

                              I am using JBOSS EAP 5.1, can any one help on this.

                              • 27. Re: Change of jsessionid after login
                                jfclere

                                If you are using EAP 5.1 you probably have other security issues,  try upgrade to a supported version like 6.4.9

                                1 2 Previous Next