Announcement Announcement Module
Collapse
No announcement yet.
concurrentsessionfilter and custom session id renewal filter Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • concurrentsessionfilter and custom session id renewal filter

    Hi,

    We have had to implement to renew session id for each request (to prevent session fixation threat).

    The problem is in the usage of out of the box concurrentsessionfilter configuration. Since, it keeps user info based on session id. And the session id is changed per request. Its unable to distinguish the request from the same session or different one. In fact, it never reaches the line which would invalidate the previous session.


    To put again the challange I am facing:

    ---part of the spring concurrentsessionfilter code ----
    ----
    -----
    SessionInformation info = sessionRegistry.getSessionInformation(session.getI d());

    if (info != null) {
    if (info.isExpired()) {
    // Expired - abort processing
    doLogout(request, response);

    -----
    ------

    ---code ends----


    1. User logs in the system, and makes first request:
    a. concurrentsessionfilter updates the session information, keeping the session id.
    b. session id regeneration filter regenerates the session id. (This filter is cofigured to run in the last position.)

    2. User makes second request within the same session:
    a. Since concurrentsessionfilter doesn't recognize this new session id, 'info' variable in the above code copied is null.
    b. session id regeneration filter regenerates the session id.


    The above repeats with each request.

    3. User login in the second browser window.
    a. The new session is stored in the map.
    b. session id regeneration filter regenerates the session id.

    4. User makes a request in the first browser window.
    a. Again, since this sessionid is not in the map, it doesn't get inside the "if block" as 'info' variable is null and hence this session is not validated.

    Please suggest if there is a work-around without customization.

    Thanks.

  • #2
    I think your best bet is to add a custom filter that maintains a separate cookie that is updated every request and stores the expected value in session. If the two values don't match then fail.

    Comment


    • #3
      Hi Rob,

      Thanks for the reply, could you please elaborate more on your idea.

      Comment

      Working...
      X