javarefreshresetjsessionidresin

Cannot Reset JSESSIONID After Authentication


I'm trying to reset JSESSIONID after login, but I cannot. I have tried the following:

...
HttpSession ghostSession = request.getSession(false);
ghostSession.invalidate();
request.getSession(true);

...

// some more manipulations of the ghostSession here. 
...

But the JSESSIONID doesn't get reset. Do I miss anything here? Is that because the manipulation of ghostSession after it's invalidated is preventing the JSESSIONID being reset?

I'm using Resin 4.X as my web container BTW.

Thank you.


Solution

  • Thanks to the insight from here, it's a Resin problem.

    Basically doing the combination of

    request.getSession(false).invalidate();
    request.getSession(true);
    

    will not trigger Resin to reset the JSESSIONID.

    Also HttpSession.changeSessionId() is only supported since Servlet 3.1, and Resin 4.0.X doesn't support Servlet 3.1.

    What I ended up doing is to adjust Resin's session handling. I.e. set <reuse-session-id> to false within <session-config>.

    I hope this helps.