session fixation - delete session after login and make a new session - but user is then not logged in anymore

Question

I use jsf2.0 and java ee6 on a JBoss AS 7

i have a LoginController.java looking like this:

@ManagedBean(name = "loginController")
@SessionScoped
public class LoginController implements Serializable{

    private static final long serialVersionUID = 1119172305268193508L;

    @Inject
    private UserProvider userProvider;

    @PostConstruct
    public void initNewUser() {
        user = new User();
    }

    private User user;

    private String accountName;

    private String password;

    public String ownLogin() throws Exception {

        HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance()
                .getExternalContext().getRequest();


        if (accountName != null) {
            try {


                if (exists(accountName)) {

                    user = userProvider.findUserByAccountName(accountName);

                    if (verifyPassword(user, password)) {

                        userProvider.saveChangedUser(user);


                        // OWASP SAYS: after login, destroy the session make a new one 
                        // a so called handover
                        // Destroy the session
                        FacesContext facesContext = FacesContext.getCurrentInstance();

                        HttpSession session = (HttpSession) facesContext.getExternalContext().getSession(false);
                        if(session != null){
                            session.invalidate();
                        }
                        // create new session after logout
                        session = (HttpSession) facesContext.getExternalContext().getSession(true);
                    setLogin(true);
            }                   
    }

/* some getters and setters */

}

The OWASP says, for security reason that after a login the sessions should be deleted (see: V3.7)

i do this in my code at this point:

FacesContext facesContext = FacesContext.getCurrentInstance();

                            HttpSession session = (HttpSession) facesContext.getExternalContext().getSession(false);
                            if(session != null){
                                session.invalidate();
                            }
                            // create new session after logout
                            session = (HttpSession) facesContext.getExternalContext().getSession(true);

First, I delete the old session, then I make a new session.
After this, I set the login true...

Of course, after running through the whole code, the user is not logged in, because the LoginController was managed in the old session scope - and in the new session scope there is a new LoginController in the scope without the loged in user...

Is there any way, to add a new LoginController to the new session after creation?

Or what is the common way to do it?

Answer 1

When you invalidate the session, all of its attributes will be trashed by end of response. You're however setting the login status on a session scoped bean instance which lives in the old session only.

You basically need to manually recreate the session scoped bean and put it in the new session after the invalidate.

ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
externalContext.invalidateSession();
LoginController loginController = new LoginController();
loginController.setUser(user);
externalContext.getSessionMap().put("loginController", loginController);

(look ma, no ugly javax.servlet imports anymore!)

By the way, when you go this way, you could also just make your LoginController a view scoped bean and deal with User in the session only.

ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
externalContext.invalidateSession();
externalContext.getSessionMap().put("user", user);

(it'll be available by #{user} throughout the EL context, also in managed properties; it does not necessarily need to be a JSF managed bean)