I am developing a Java application that seems to have a session capture vulnerability.
To prevent this, it is recommended that you change the JSESSION identifier for the user after logging in.
My application is based on Struts 2.0 and Tomcat 7, and I have implemented the code to change the JSESSIONID after the user logs in.
However, when I ran the code, I ran into the following problem.
java.lang.IllegalStateException: setAttribute: Session already invalidated at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1289) at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1254) at org.apache.catalina.session.StandardSessionFacade.setAttribute (StandardSessionFacade.java:130) at org.apache.struts2.dispatcher.SessionMap.put(SessionMap.java:181)
Here is the code I wrote:
HttpSession httpSession = ServletActionContext.getRequest().getSession(); HashMap<String, Object> attributes = new HashMap<String, Object>(); Enumeration<String> enames = httpSession.getAttributeNames(); while ( enames.hasMoreElements() ) { String name = enames.nextElement(); if ( !name.equals( "JSESSIONID" ) ) { attributes.put( name, httpSession .getAttribute( name ) ); } } httpSession.invalidate(); httpSession = request.getSession(true); for ( Map.Entry<String, Object> et : attributes.entrySet() ) { userInfoMap.put( et.getKey(), et.getValue() ); } getSession().put("userid",userId);
java struts2 owasp sessionid session-hijacking
hemant sharma
source share