Session id reused after call to invalidate

Question

Session id reused after call to invalidate

I have inherited a rather ancient JSP application (JDK 1.3.1_15) and am trying to connect a hole to fix the session.

I successfully canceled the current session after authenticating with HttpSession.invalidate(), however when creating a new session the old session identifier is reused.

<%
// login.jsp
if (authenticated) {
    request.getSession().invalidate();

    // create new session and store data
    HttpSession session = request.getSession();
    session.putValue(...);
    // etc

    response.sendRedirect("logged-in.jsp");
    return;
}
%>

I see a new session destination in my HTTP monitor, it uses the same number again.

-- Initial request response --
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=6a303082951311647336934;path=/

-- login.jsp request response --
HTTP/1.1 302 Moved Temporarily
Location: http://example.com/logged-in.jsp
Set-Cookie: JSESSIONID=6a303082951311647336934;path=/

Before me, using session.invalidate(), the second response header was Set-Cookiemissing.

Does anyone have any tips on how to generate a new session id? I am not very familiar with JRUN4, but traffic through the configuration documentation did not understand anything.

+5

java jsp httpsession jrun

Phil 26 . '11 2:53

2

7.3 Java Servlet 3.0 , , :

HttpSession ( ). , cookie, , , , , , .

, , cookie JSESSIONID . (.. ) ?

+1

hoipolloi 29 . '11 1:48

laz · Accepted Answer · 2011-07-31T05:16:27+0000

, cookie, , . , cookie, . cookie, , invalidate. , , , . , cookie , . , - . , , session.invalidate() . , JRun, .

Session id reused after call to invalidate

More articles: