Re: change session id after login

Thiago H. de Paula Figueiredo Mon, 18 Oct 2010 06:13:44 -0700

On Mon, 18 Oct 2010 10:26:00 -0200, Andreas Andreou <andy...@di.uoa.gr>wrote:

Yea, that's session fixation...
see http://www.owasp.org/index.php/Session_Fixation


Thanks for the link! :)

Grabbing the session and invalidating directly does the trick but
you have to be sure this occurs at the end of the request - otherwise
Tapestry may try to reuse the session and because that has beeninvalidated you'd get exceptions.

As long as you invalidate it through Tapestry (Session.invalidate())instead of directly through HttpSession.invalidate(), I don't thinkexceptions will be thrown.


--
Thiago H. de Paula Figueiredo

Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,and instructor

Owner, Ars Machina Tecnologia da Informação Ltda.
http://www.arsmachina.com.br

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org

Re: change session id after login

Reply via email to