change session id after login

Mike Oestereter Mon, 18 Oct 2010 03:47:40 -0700

Hi

How can I change the value of the JSESSIONID cookie  after
succcessfull login - failure to do this will result in a session
hijacking vulnerability.
I'm not using Spring or AECGI (sp?) and am not interested in it at the moment.


In tapestry 5.0 the value of the cookie (somewhat magically and
unexpectedly) changed when a new instance of my SessionState object
was created: e.g.

        @SessionState
        private MerchantState merchantState;

        public void resetState(...) {
                merchantState = null;
                merchantState = new MerchantState();
                ...
        }

With tapestry 5.1.0.5 The cookie value now remains the same.

Thanks

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org

change session id after login

Reply via email to