Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m wondering if regenerating the session id after a successful login really a good practice and not just sort of a cargo cult behavior.
If I understand the theory correctly it should prevent session hijacking (or at least make it harder), but I can’t really see that if someone could steal the pre-login session what would stop the phisher doing it again with the regenerated one.
I’m not focusing on Spring (I don’t even use Java currently), I’m interested in the pros and cons.
You regenerate to prevent session hijacking when the pre-login is http and the post-login is https. That is what stops the attacker doing it again with the regenerated one.
It is relatively easy to steal a session identifier for an http session, assuming you are near the victim, or in the path somewhere, or have phished etc – and if this session identifier is also viable in the encrypted session it can make the attacker’s job quite easy.