skip to content »

Same sessionid after invalidating session

same sessionid after invalidating session-1

My request object flow to 1st page to 2nd page and 2nd page to 1st page again 1st page to 2nd page and again same 2nd page to 2nd page ....request page can not be change but every time request 1st page to 2nd page we need to fetch detail to session and invalidate it and again created it..

same sessionid after invalidating session-83same sessionid after invalidating session-43

So, what I am thinking is that on the valve, old session is not invalidated, but new session id is assigned as below: Because if you are checking for a session hijack and think you detected one, I would think you would want to invalidate session and then redirect to the login page, not stay on same page and recreate session. I've never seen it in over a decade of Tomcat use.Logout also results in a call to session.invalidate.I do not see a clear point why it is necessary to have the session id changed or cleared after logout. Why does this requirement verify only the logout part? When you sign in to comment, IBM will provide your email, first name and last name to DISQUS.That information, along with your comments, will be governed by DISQUS’ privacy policy.So one of our customers has raised this as a security threat.

They fear a scenario where a different user can do a back and refresh on same browser and use previous user's session.

If you were reviewing an application against the ASVS standard and you noticed that the Session ID had changed on logout you can be pretty sure that all session data has been cleared and is no longer available from the client.

Yes, technically it is possible to code a system to migrate any session data to the new session, but as there is no real reason to do this it is a good measure of the quality of the application's session handling.

User enters his user id and password and is logged in.

He then browses to another page and clicks Exit to logout.

So let me know of a way of invalidating the existing JSESSIONID cookie once session.invalidate has been called.