jsr340-experts@servlet-spec.java.net

[jsr340-experts] Re: SERVLET_SPEC-13: Make session fixation protection part of the spec

From: Shing Wai Chan <shing.wai.chan_at_oracle.com>
Date: Tue, 24 Jan 2012 18:29:31 -0800

On 1/23/12 5:24 AM, Ramesh wrote:
>
>
> On 1/20/2012 5:17 PM, Mark Thomas wrote:
>> On 19/01/2012 22:41, Alex Rojkov wrote:
>>>>>> On Tue, 2012-01-17 at 17:36 -0800, Shing Wai Chan wrote:
>>>> I notice one more different: a String argument.
>>>> In Tomcat (and also GlassFish), we have
>>>> org.apache.catalina.connector.Request#changeSessionId(String
>>>> newSessionId)
>>> In my opinion the session ids must be container managed. We can't
>>> rely on the users
>>> of the API to be able to generate good IDs. I am not in favour of
>>> letting users
>>> generate Ids.
>> Agreed. org.apache.catalina.connector.Request is an internal class and
>> could easily be refactored to not take the new session ID.
>>
>>>> In other words, the caller of the API need to know a newSessionId
>>>> as follows:
>>>> a) javax.servlet.http.HttpServletRequest:
>>>> public void changeSessionId(String newSessionId);
>>> -1. See above.
>> Agreed. -1 to the API allowing the new ID to be specified.
>>
>>> public void changeSessionId() is OK.
>>>
>>> public String changeSessionId() can be considered as alternative.
>>>
>>> It's likely that the new sessionId will be needed right after it's
>>> generated.
>> I have no issues with this proposed change.
>>
>> Mark
> Agreed to have this on HttpServletRequest.
>>> Alex
>>>
>>>> Also, in previous bug comments and discussion, there is a
>>>> suggestion to add a new method:
>>>> b) javax.servlet.http.HttpSessionListener
>>>> public void sessionIdChanged(HttpSessionEvent se);
>>>>
>>>> Note that (b) may break some of the user applications. Is it ok?
>>>>
>>>> Shing Wai Chan
>>>>
>>>>
>>>>
> I feel the change of session id has to be notified. Since adding it in
> HttpSessionListener might break the interface. How about introducing
> an standard 'javax.servlet.http.session.id' session attribute and
> notify using :
> javax.servlet.http.HttpSessionAttributeListener
> void attributeAdded(javax.servlet.http.HttpSessionBindingEvent
> event);
> void attributeReplaced(javax.servlet.http.HttpSessionBindingEvent
> event);

Another alternative is having a new listener. For instance
javax.servlet.http.HttpSessionIdListener
      void sessionIdChanged(javax.servlet.HttpSessionEvent event);

Shing Wai Chan
>
>>