how to refresh JSESSIONID cookie after login

Question

A product I work on got a tough security audit by a potential customer and they are upset that Tomcat sets a JSESSIONID cookie before authentication has happened. That is, Tomc

Answer 1

Two things I've found that might helpful to others.

1. If you're using Apache Wicket, there is a solution for this after version 1.4. My app is still on 1.3, so I didn't realize, but I was able to back port it very easily in my own WebSession class. Wicket 1.4 adds a replaceSession() method to WebSession, which works great. You can call it right after authentication and you'll get a new JSESSIONID. It basically solved this problem for me. More info here: https://issues.apache.org/jira/browse/WICKET-1767.

2. There is a Apache Tomcat valve available after version 5.5.29 which you can add to context.xml. It will handle issuing a new JSESSIONID after authentication. More info is available here: https://issues.apache.org/bugzilla/show_bug.cgi?id=45255. The entry for the valve would look like this: