How to change the value of JSESSIONID after user login in liftweb?

Question

I am trying to prevent Session Fixation vulnerability by changing the JSESSIONID after user logs in.

I am using a SessionVar to store the user data, and S.session.open_!.destroySessionAndContinueInNewSession to invalidate the old session and create the new one upon login.

However, it does not work. The value of JSESSIONID does not change at all. It's still the same.

I also try logging out using:

S.session.open_!.destroySession()
S.request.foreach(_.request.session.terminate)

to trigger a session id reset. However, it does not work either.

How do we change the value of JSESSIONID upon login in liftweb?

Answer 1

With Lift there are two types of session. There is the container session, and in a Servlet environment that is tied to a JSESSIONID, and there is the LiftSession, which is Lift's abstraction. Lift ties its own session to the container session, but it is not directly responsible for how the container generates and maintains sessions.

As far as I know all of the code snippets above will result in an call to javax.servlet.http.HttpSession.invalidate() but after that it's up to the container to handle the generation of a new ID for the client. My guess is that your container isn't unsetting the JSESSIONID cookie when the response is sent and when the client makes the next request the container starts a new session using the ID that was requested.

What I think you'll want to do is to look into how your container (Jetty, Tomcat, etc) handle requests for JSESSIONID values that are not tied to existing sessions, and if it is using the requested value even when a session doesn't already exist, how to disable that functionality. This SO question might help.