Yea, that's session fixation... see http://www.owasp.org/index.php/Session_Fixation
Grabbing the session and invalidating directly does the trick but you have to be sure this occurs at the end of the request - otherwise Tapestry may try to reuse the session and because that has been invalidated you'd get exceptions. On Mon, Oct 18, 2010 at 14:45, Thiago H. de Paula Figueiredo <thiag...@gmail.com> wrote: > On Mon, 18 Oct 2010 08:47:05 -0200, Mike Oestereter > <mike.oestere...@gmail.com> wrote: > >> Hi > > Hi! > >> How can I change the value of the JSESSIONID cookie after >> succcessfull login - failure to do this will result in a session >> hijacking vulnerability. > > The session cookie is created and removed by the servlet container (server), > not by Tapestry itself. Have you tried grabbing the Session object and > invalidating it directly? > > Could you post us something about the vulnerability? I'm curious to read > about it. :) > >> In tapestry 5.0 the value of the cookie (somewhat magically and >> unexpectedly) changed when a new instance of my SessionState object >> was created: e.g. > > Are you sure? This doesn't make a lot of sense. As you can have more than > one session state object, changing the session id would be the same as > invalidating the session. This would be a serious bug. > > -- > Thiago H. de Paula Figueiredo > Independent Java, Apache Tapestry 5 and Hibernate consultant, developer, and > instructor > Owner, Ars Machina Tecnologia da Informação Ltda. > http://www.arsmachina.com.br > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > -- Andreas Andreou - andy...@apache.org - http://blog.andyhot.gr Tapestry PMC / Tacos developer Open Source / JEE Consulting --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
