httpservletrequest - create new session / change session Id

Question

I\'m maintaining a Java web application.

Looking into the login code it gets an HttpSession out of HttpServletRequest via the getSession() method of HttpServletReque

Answer 1

Since Java EE 7 and Servlet API 3.1 (Tomcat 8) you can use HttpServletRequest.changeSessionId() to achieve such behaviour. There is also a listener HttpSessionIdListener which will be invoked after each change.

Answer 2

The Servlet 3.0 API doesn't allow you to change the session id on an existing session. Typically, to protect against session fixation, you'll want to just create a new one and invalidate the old one as well.

You can invalidate a session like this

request.getSession(false).invalidate();

and then create a new session with

getSession(true) (getSession() should work too)

Obviously, if you have an data in the session that you want to persist, you'll need to copy it from the first session to the second session.

Note, for session fixation protection, it's commonly considered okay to just do this on the authentication request. But a higher level of security involves a tossing the old session and making a new session for each and every request.