A customer has requested some security enhancements to our Java web application, including the

Question

0

Asked: June 17, 20262026-06-17T03:57:58+00:00 2026-06-17T03:57:58+00:00

A customer has requested some security enhancements to our Java web application, including the

0

A customer has requested some security enhancements to our Java web application, including the following:

According to our security team good security practices state that
session id should be changed on every request to prevent session
hijacking.

I understand the importance of allocating a new session ID upon authentication (which we already do), but this request seems a bit extreme.

If reallocating on a per-request basis, it sounds like it’s no longer a session ID, but rather a single-use request ID that might be used in conjunction with a session ID.

So, my question: is such a tactic really a common security practice? If so, could somebody point me to a good discussion on the topic, implementation tips, etc.?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-17T03:57:59+00:00

Editorial Team

2026-06-17T03:57:59+00:00Added an answer on June 17, 2026 at 3:57 am

It doesn’t hurt, but it can be really complicated and really you only need to re-generate the session id when the security level changes. See also Session Hijacking – regenerate session ID on Security StackExchange.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

A customer has requested some security enhancements to our Java web application, including the

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply