How prevent Session Fixation attacks!!!

Currently i have one vaadin application that i use to authenticate and remains the same after authentication .
To prevent "
session fixation
" attacks, after a sucessfuly login, i need a way to transfer the authenticated vaadin application to a new HttpSession or alternatively close de first application and creates a new vaadin application with the same authentication in a new HttpSession.

I saw the ticket #6094 that reports this problem, but still has no solution.

Anyone have a good idea or a solution to solve this problem?

I have an application in production that urgently needs this security recomendation solved, any help will be very grateful.

Thanks and regards

Hi Miguel,

if you want to sponsor our Vaadin development, please let me know and we can have our R&D look into it asap. This, as any other feature sponsoring requests, will most easily be handled through our Vaadin Pro Account (

Best wishes,


I haven’t understood clearly your issue. May you write

  1. the sequence of events in a normal session,
  2. which is the issue and how do you think others can exploit it
  3. finally what means transfer vaadin session to another http session?


In a “normal” environment you get a session on the very first request you make to a website.
That same session/cookie is then used when you login and do more privilegated operations.

And this is the security issue.

Normally you should use one cookie/session for non-authenticated user,
and after sucessfull login you assign him a new session/cookie.

The same is also when you access a website via http:// and then (after login)
switch to https:// but still “accept” the session/cookie from the http:// connection.

There are other variants of this, see in the wikipedia entry.
And it is definitively a potential security issue…


Certainly, it’s a potential security breach as it may happen sith any other http app.

I’m currently testing Dontpush addon. Initial session is created through http, but next conversation ins made through websocket connection. I haven’t got it work because a NPE, but probably that maybe a workaround, because if no http is involved, no session cookie is needed.


At the moment one way of resolving this is implementing Login outside of Vaadin application as a JSP page and doing the session invalidation there.

Added an example to
ticket #6094
how you can invalidate the old session and switch to a new one using a custom ApplicationContext class.

I implemented the example provided by Artur Signell and works like a charm. :smiley:

Thank for all and especially for Artur Signell