jsr340-experts@servlet-spec.java.net

[jsr340-experts] Re: SERVLET_SPEC-13: Make session fixation protection part of the spec

From: Mark Thomas <markt_at_apache.org>
Date: Tue, 10 Jul 2012 19:49:21 +0100

On 10/07/2012 07:02, Remy Maucherat wrote:
> On Mon, 2012-07-09 at 13:52 -0700, Shing Wai Chan wrote:
>> Hi,
>>
>> Before EDR, there were discussions about the adding a API to change session.
>> Let me summarize what we have discussion:
>>
>> I. change session id API - three options was discussed
>> A. add API to HttpSession
>> String changeId(); // return the id
>> B. add API to HttpSession
>> a. String changeId(HttpServletRequest req);
>> b. String changeId(HttpServletRequest req, HttpServletResponse res);
>> C . add API to HttpServletRequest
>> String changeSessionId();
>>
>> My preference would be (c).
>
> +1

+1. Both session and request will need updating and this is easier to do
starting from the request.

>> II. event - three options are discussed
>> A. add API to HttpSessionListener // will break backward compatibility
>> a. void sessionIdChanged (HttpSessionEvent se);
>> b. void sessionIdChanged(HttpSessionEvent se, String oldSessionId);
>> B. add attribute javax.servlet.http.session.id attribute
>> and notify using
>> javax.servlet.http.HttpSessionAttributeListener#attributeAdded,
>> #attributeReplaced
>> C. add a new listener, HttpSessionIdListener
>> void sessionIdChanged(HttpSessionEvent se, String oldSessionId);
>>
>> I prefer (c).
>
> Another listener type has a cost, but B is bad and A is not possible. So
> C looks the best of the three options here.

+1.

Mark