session id change and attributes copying after login

java spring session tomcat servlets

21,583

Solution 1

If you use Spring Security, the framework should change the session id after login by default.

Why does the session Id change when I authenticate through Spring Security?

With the default configuration, Spring Security invalidates the existing session when the user authenticates and creates a new one, transferring the session data to it. The intention is to change the session identifier to prevent “session-fixation” attacks. You can find more about this online and in the reference manual

If you do not use Spring (Security) you have to do it by your own. A bit in this way:

public class Login extends HttpServlet {
...
    HttpSession session = request.getSession();
    Map<String,Object> values = session.GetAll(); //This line is psydo code
    //Use getValueNames() and a loop with getValue(String name);

    // Kill the current session
   session.invalidate();

   HttpSession newSession = request.getSession(true);
   newSession.putAllValues(values); //This line is psydo code
...

Solution 2

    session=request.getSession(true);
    Enumeration keys = session.getAttributeNames();     
    HashMap<String,Object> hm=new HashMap<String,Object>();  
    while (keys.hasMoreElements())
    {
      String key = (String)keys.nextElement();
      hm.put(key,session.getValue(key));
      session.removeAttribute(key);      
    }
    session.invalidate();
    session=request.getSession(true);
    for(Map.Entry m:hm.entrySet())
    {
      session.setAttribute((String)m.getKey(),m.getValue());  
      hm.remove(m);
    }

21,583

Author by

coder247

Updated on December 31, 2020

Comments

coder247 over 3 years

My application use java servlets,jsp and tomcat 6. I like to implement session id change and want to copy the old session attributes to the new one after login. We started using a little bit of spring in this. Which is the best way to add this feature to a 10 year old application like this.
coder247 almost 13 years

When I call session.invalidate() is throws an exception.java.lang.IllegalStateException: getLastAccessedTime: Session already invalidated
Ralph almost 13 years

To my understanding: the doc said you do not need to do anything. Have you checked that the session id does not change automatically, before trying to implement your own logic?
coder247 almost 13 years

sorry. the context is different. It is not about spring security
Prasad over 7 years

Some more explanation helps folks to understand clearly
Dhruv Singhal over 5 years

Hi! Is there a way to add session attribute just after login? Where should I put the adding attribute part? I am using Spring Security Just in case
Ralph over 5 years

@Dhruv Singhal: you could implement a AuthenticationSuccessHandler to get access to the Http Session after successfull login (do not forget to invoke the "original" AuthenticationSuccessHandler. Or you hook up at the AuthenticationSuccessEvent or InteractiveAuthenticationSuccessEvent and try to get access to the http request via RequestContextHolder (I never used RequestContextHolder before, so I do not know how to get it running)
Dhruv Singhal over 5 years

Thanks a ton, somehow I also got the link for tutorials explaining the same thing.