Session commit - delete a session after logging in and create a new session - but the user will no longer be logged in

I am using jsf2.0 and java ee6 on JBoss AS 7

I have LoginController.java that looks like this:

@ManagedBean(name = "loginController") @SessionScoped public class LoginController implements Serializable{ private static final long serialVersionUID = 1119172305268193508L; @Inject private UserProvider userProvider; @PostConstruct public void initNewUser() { user = new User(); } private User user; private String accountName; private String password; public String ownLogin() throws Exception { HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance() .getExternalContext().getRequest(); if (accountName != null) { try { if (exists(accountName)) { user = userProvider.findUserByAccountName(accountName); if (verifyPassword(user, password)) { userProvider.saveChangedUser(user); // OWASP SAYS: after login, destroy the session make a new one // a so called handover // Destroy the session FacesContext facesContext = FacesContext.getCurrentInstance(); HttpSession session = (HttpSession) facesContext.getExternalContext().getSession(false); if(session != null){ session.invalidate(); } // create new session after logout session = (HttpSession) facesContext.getExternalContext().getSession(true); setLogin(true); } } /* some getters and setters */ } 

OWASP says for security reasons that sessions must be deleted after logging in (see V3.7 )

I do this in my code at this point:

 FacesContext facesContext = FacesContext.getCurrentInstance(); HttpSession session = (HttpSession) facesContext.getExternalContext().getSession(false); if(session != null){ session.invalidate(); } // create new session after logout session = (HttpSession) facesContext.getExternalContext().getSession(true); 

First, I delete the old session, and then create a new session.
After that I set login login ...

Of course, after running all the code, the user was not logged in, because LoginController was controlled in the old session area - and in the new session area in the scope, a new LoginController appeared without logging in ...

Is there a way to add a new LoginController to a new session after creation?

Or what is the general way to do this?

+6
source share
1 answer

When you cancel a session, all its attributes will be destroyed until the end of the response. However, you set the login status to the bean instance limited to the session, which only lives in the old session.

You basically need to manually recreate the bean's session area and place it in a new session after the invalidation.

 ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext(); externalContext.invalidateSession(); LoginController loginController = new LoginController(); loginController.setUser(user); externalContext.getSessionMap().put("loginController", loginController); 

(see ma, not ugly javax.servlet import anymore!)

By the way, when you go this way, you can also just make your LoginController look like a limited bean and deal with User only in the session.

 ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext(); externalContext.invalidateSession(); externalContext.getSessionMap().put("user", user); 

(it will be available #{user} in the entire EL context, also in managed properties, and does not have to be a JSF managed bean)

+4
source

Source: https://habr.com/ru/post/911447/


All Articles