Technology insights, news and tips.

  • Sun
    June 11, 2010

Change Session Id on Authentication in GlassFish

Session fixation attack is a security vulnerabiltiy where
the victim is tricked to login using the session given by
a hacker, then the hacker can use the session after that.

Prior to GlassFish v3, one can mininize the exposure of
session id in url encoding by specifying a session-properties
in WEB-INF/sun-web.xml:




      <property name="enableURLRewriting" value="false" />




In GlassFish v3,
with the support of Servlet 3.0, one
can also achieve above by specifying the tracking-mode in WEB-INF/web.xml:

<web-app ...>






Note that the default tracking-mode in GlassFish v3 is COOKIE and URL.

In GlassFish 3.0.1 and GlassFish 3.1, a security feature is ported from Tomcat.
One can configure a web application so that the session id will be changed after
authentication. This mininizes the session fixation attack.
One can achieve this by configuring META-INF/context.xml in war file. For instance,

<?xml version="1.0" encoding="ISO-8859-1"?>


  <Valve className="org.apache.catalina.authenticator.FormAuthenticator"


The above example used form based login. If BASIC is used, then the className should be

Join the discussion

Comments ( 1 )
  • Shing Wai Chan Tuesday, February 1, 2011

    In 3.1, this feature is turned on by default.

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.