Cannot Reset JSESSIONID After Authentication

420 Views Asked by gye At 05 April 2018 at 16:20

I'm trying to reset JSESSIONID after login, but I cannot. I have tried the following:

...
HttpSession ghostSession = request.getSession(false);
ghostSession.invalidate();
request.getSession(true);

...

// some more manipulations of the ghostSession here. 
...

But the JSESSIONID doesn't get reset. Do I miss anything here? Is that because the manipulation of ghostSession after it's invalidated is preventing the JSESSIONID being reset?

I'm using Resin 4.X as my web container BTW.

Thank you.

Original Q&A

There are 1 best solutions below

gye On 05 April 2018 at 20:33 BEST ANSWER

Thanks to the insight from here, it's a Resin problem.

Basically doing the combination of

request.getSession(false).invalidate();
request.getSession(true);

will not trigger Resin to reset the JSESSIONID.

Also HttpSession.changeSessionId() is only supported since Servlet 3.1, and Resin 4.0.X doesn't support Servlet 3.1.

What I ended up doing is to adjust Resin's session handling. I.e. set <reuse-session-id> to false within <session-config>.

I hope this helps.

Cannot Reset JSESSIONID After Authentication

There are 1 best solutions below

Related Questions in JAVA

Related Questions in REFRESH

Related Questions in RESET

Related Questions in JSESSIONID

Related Questions in RESIN

Trending Questions

Popular # Hahtags

Popular Questions