We have a sample adf application with jdeveloper12.1.3 with shiro security and using glassfih 3.1.2.19 for my webserver. The problem is jsessionid is not changing before and after authentication. We are using Shiro security for session/cookie management. For protection, we are trying to generate different session id once the authentication has been done. We explored many blogs and sites, it directs us to invalidate the existing session and create the new session for the same.
But when we followed the same, It throws "500 server error: where as in the log file, we are getting "java.lang.IllegalStateException: org.apache.shiro.session.UnknownSessionException: There is no session with id". We also attach images for our code for login to the application.
Here we need to preventing session fixation. So, We are trying to regenerate the session id after authentication.
enter image description here
In the Java code, We have stopped the existing session using session.stop() and tried authenticating after this. But old session id is the one this is pointing. so we are facing unknowsessionidexception(old jsession id). We believe since we have stopped the old jsession id with stop command we are facing this exception.
Kindly help us to fix this as soon as possible