I am using jsf2.0 and java ee6 on JBoss AS 7
I have LoginController.java that looks like this:
@ManagedBean(name = "loginController") @SessionScoped public class LoginController implements Serializable{ private static final long serialVersionUID = 1119172305268193508L; @Inject private UserProvider userProvider; @PostConstruct public void initNewUser() { user = new User(); } private User user; private String accountName; private String password; public String ownLogin() throws Exception { HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance() .getExternalContext().getRequest(); if (accountName != null) { try { if (exists(accountName)) { user = userProvider.findUserByAccountName(accountName); if (verifyPassword(user, password)) { userProvider.saveChangedUser(user);
OWASP says for security reasons that sessions must be deleted after logging in (see V3.7 )
I do this in my code at this point:
FacesContext facesContext = FacesContext.getCurrentInstance(); HttpSession session = (HttpSession) facesContext.getExternalContext().getSession(false); if(session != null){ session.invalidate(); } // create new session after logout session = (HttpSession) facesContext.getExternalContext().getSession(true);
First, I delete the old session, and then create a new session.
After that I set login login ...
Of course, after running all the code, the user was not logged in, because LoginController was controlled in the old session area - and in the new session area in the scope, a new LoginController appeared without logging in ...
Is there a way to add a new LoginController to a new session after creation?
Or what is the general way to do this?
Joerg source share