0

I am trying to implement security for my project that prevents session fixation.

As i have no access to the component (a filter from a certain library, lets call it MagicFilter) that handles the whole session-creation and validation, i was trying to find out another way of possibly doing it.

Now, consider this scenario for my session:

  • User requests the login-page
  • MagicFilter sets a cookie with a JSESSIONID etc
  • other filters do some work ...
  • Java Spring MVC, so as last step before the user sees the LoginView i have access to stuff in my LoginController. Here i .invalidate() the session right before i return the view.

So basically the user never has a real and valid session-ID while at the login-page. Only after he logs in the MagicFilter assigns another session-ID which will then be sticked to, as i only invalide() the session-ID in my LoginController.

But this feels very rough and i kind of had to "hack" around the automatic process of the MagicFilter. Can anyone see if this should be safe in terms of session fixation or not?

Mercious
  • 378
  • 3
  • 25
  • This seems rather broad for Stack Overflow; perhaps the [security](http://security.stackexchange.com/) site would be more appropriate? – GoBusto Mar 16 '15 at 13:44
  • Woah, i never even knew about that part of SO, thanks for the hint. I guess i will keep this question here though and give it some time before i open another question on the security section? I think someone with a good understanding of the whole web-security topic could answer it quite easily, but i might be mistaken. – Mercious Mar 16 '15 at 13:48

0 Answers0