how to refresh JSESSIONID cookie after login

Question

A product I work on got a tough security audit by a potential customer and they are upset that Tomcat sets a JSESSIONID cookie before authentication has happened. That is, Tomc

Answer 1

If you are using Tomcat and want to apply this globally to all your servlets which use Tomcat's authentication mechanism, you can write a Valve to force this behavior, as shown in this sample code.

Answer 2

When using spring, you should use SessionFixationProtectionStrategy.

<property name="sessionAuthenticationStrategy" ref="sas"/>
...
<bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"/>

When inspecting the source code, you will see that this is similar to the approach of harsha89: It will

1. create a new session
2. tranfer attributes of the old session.

Answer 3

session=request.getSession(true);
Enumeration keys = session.getAttributeNames();     
HashMap<String,Object> hm=new HashMap<String,Object>();  
while (keys.hasMoreElements())
{
  String key = (String)keys.nextElement();
  hm.put(key,session.getValue(key));
  session.removeAttribute(key);      
}
session.invalidate();
session=request.getSession(true);
for(Map.Entry m:hm.entrySet())
{
  session.setAttribute((String)m.getKey(),m.getValue());  
  hm.remove(m);
}  

Answer 4

Is the problem that the JSESSIONID is visible in the browser or that it gets set in a cookie at all? I'm assuming it is the latter in your case.

1.issue a new JSESSIONID cookie after login

This is the default Tomcat behaviour if you switch from http to https at the time of login. The old one is discarded and a new one is generated.

If your login itself is over http, I guess that's another security issue for the auditors ;)

Or are all your pages over https?