session id change and attributes copying after login
Solution 1
If you use Spring Security, the framework should change the session id after login by default.
@see Spring Security FAQ:
Why does the session Id change when I authenticate through Spring Security?
With the default configuration, Spring Security invalidates the existing session when the user authenticates and creates a new one, transferring the session data to it. The intention is to change the session identifier to prevent “session-fixation” attacks. You can find more about this online and in the reference manual
If you do not use Spring (Security) you have to do it by your own. A bit in this way:
public class Login extends HttpServlet {
...
HttpSession session = request.getSession();
Map<String,Object> values = session.GetAll(); //This line is psydo code
//Use getValueNames() and a loop with getValue(String name);
// Kill the current session
session.invalidate();
HttpSession newSession = request.getSession(true);
newSession.putAllValues(values); //This line is psydo code
...
Solution 2
session=request.getSession(true);
Enumeration keys = session.getAttributeNames();
HashMap<String,Object> hm=new HashMap<String,Object>();
while (keys.hasMoreElements())
{
String key = (String)keys.nextElement();
hm.put(key,session.getValue(key));
session.removeAttribute(key);
}
session.invalidate();
session=request.getSession(true);
for(Map.Entry m:hm.entrySet())
{
session.setAttribute((String)m.getKey(),m.getValue());
hm.remove(m);
}
coder247
Updated on December 31, 2020Comments
-
coder247 over 3 years
My application use java servlets,jsp and tomcat 6. I like to implement session id change and want to copy the old session attributes to the new one after login. We started using a little bit of spring in this. Which is the best way to add this feature to a 10 year old application like this.
-
coder247 almost 13 yearsWhen I call session.invalidate() is throws an exception.java.lang.IllegalStateException: getLastAccessedTime: Session already invalidated
-
Ralph almost 13 yearsTo my understanding: the doc said you do not need to do anything. Have you checked that the session id does not change automatically, before trying to implement your own logic?
-
coder247 almost 13 yearssorry. the context is different. It is not about spring security
-
Prasad over 7 yearsSome more explanation helps folks to understand clearly
-
Dhruv Singhal over 5 yearsHi! Is there a way to add session attribute just after login? Where should I put the adding attribute part? I am using Spring Security Just in case
-
Ralph over 5 years@Dhruv Singhal: you could implement a
AuthenticationSuccessHandler
to get access to the Http Session after successfull login (do not forget to invoke the "original"AuthenticationSuccessHandler
. Or you hook up at theAuthenticationSuccessEvent
orInteractiveAuthenticationSuccessEvent
and try to get access to the http request viaRequestContextHolder
(I never usedRequestContextHolder
before, so I do not know how to get it running) -
Dhruv Singhal over 5 yearsThanks a ton, somehow I also got the link for tutorials explaining the same thing.