After invalidating


It would be awesome to get some feedback or better suggestions from people much smarter than myself -- like you!

Since the attacker also knows this value he/she will refresh their browser and the resources mapped to that session ID (the victim's resources) will be served to them. This will no doubt cause a new cookie to get generated but it will be on the user's browser before they login.

So if an attacker can edit the "prelogin" cookie again, the attack still persists, as the same cookie will be used even after the user logs in. What this means, is that even if an attacker manages to trick you into using a controlled value prior to logging in, you're still protected.the application forcibly changes the value after you log in.

i had another owasp link, which confused me because it says "Session ID should be regenerated after login" :owasp.org/index.php/Session_Fixation_in_Java.. I can't comment on @cherouvim's answer above as I don't have enough points.

The new session ID should be set "after" the user successfully logs in, to avoid session fixation. Session fixation effectively means that an attacker somehow tricked a user into using a value known to the attacker.

The problem is that the JSESSIONID cookie is set in the browser and visible in the Firefox cookie viewer (for example). If you are using the older version of jboss like jboss 4 then simply calling the Session(true) after session.invalidate() call will not change the session id.