1 Reply Latest reply on Feb 26, 2014 5:14 AM by thomas_schindler

    Switching HTTPSession after successful login to prevent Session Fixation

    thomas_schindler

      Hello all,

       

      I'm working at the moment on a JSF web project, using JBoss AS 7.1.1.Final and Mojarra 2.1.7 (Mojarra 2.1.7-jbossorg-1). As an outcom of an security review, we have the requirement to switch the HTTPSession after a successful login of the user. This is based on a recommendation of the OWASP (see https://www.owasp.org/index.php/Session_Fixation)

       

      As I worked previously on a web project based on Apache Wicket, I was very confident, that this wouldn't be a big Issue. As it turns out now, I need some help here.

       

      We are using on the login page some session scoped Beans (Using CDI Named - Annotation). In order to switch the HTTP Session, I use during the login-process geht following code:

       

       

            HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false);

            session.invalidate();

            FacesContext.getCurrentInstance().getExternalContext().getSession(true);

       

      As the CDI - Context is removed only at the end of the RequestCycle, of course the previosly managed Sessionbeans are gone. And I didn't find a way to preserve the beans into the newly created CDI Context.

       

      What I am looking for is a way to switch the underlying HTTPSession without destroying the CDI Context. In Apache Wicket there is a very convenient Method on the Session - Class : org.apache.wicket.Session.replaceSession(), which replaces the underlying HTTP Session but preserves the Wicket Session. Does there anything similar exists in JSF.

       

      Any help would be greatly appreciated

       

      Greetings,

      Thomas