[SERVLET_SPEC-13] Make session fixation protection part of the spec Created: 04/Oct/11  Updated: 19/Sep/12  Resolved: 19/Sep/12

Status: Resolved
Project: servlet-spec
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: markt_asf Assignee: Shing Wai Chan
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


One of the options for providing protection against session fixation is to change the ID of a session on authentication. It would be good if something along the lines of a changeId() method could be added to the session interface to enable custom security solutions to do this easily. An associated event for sessions listeners would also be required.

Comment by markt_asf [ 04/Oct/11 ]

On a related note we may want to consider an option to control if this happens when using container provided authentication.

Comment by janbartel [ 06/Feb/12 ]

Access will be needed to the current request, and also the current response in order to effectively change the session id.

So I propose we add the following to the HttpSession object:

public String changeId (HttpServletRequest request, HttpServletResponse response);

where the return value is the new sessionId.

Comment by gregwilkins [ 06/Feb/12 ]

Note also that we have to consider shared session IDs with cross context dispatch.

If a server is working with cross context dispatch, then many contexts can have the same session ID pointing to different sessions. Changing the session ID on one context will have to change the session ID for all contexts (just as invalidating on one will invalidate on all).


Comment by Shing Wai Chan [ 14/Sep/12 ]

Incremental fixes:
Committed revision 42.

Modified Paths:

Comment by Shing Wai Chan [ 19/Sep/12 ]

Sending sessions.fm
Sending status.fm
Transmitting file data ..
Committed revision 44.

Generated at Mon Feb 27 08:03:09 UTC 2017 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.