Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: JBossAS-4.2.0.GA
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Environment:

      Unix

      Description

      I am using JBOSS 4.2 GA. I am able to fix the session id on the application server. JBOSS is not validating the JSESSIONID value, whether it is generated by itself or not. So, i thought of explicitly invalidating the existing session and create a new session using httpServletRequest.getSession(true) during the login action.JBOSS still returns the old jsession id .
      Is this a limitation in jboss??? I also checked the emptySessionPath in server.xml and the value is "true" for HTTP,HTTPS and AJP Connectors.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                anil.saldhana Anil Saldanha
                Reporter:
                altafshussain Altaf Hussain
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: