Session fixation - How to prevent with Vaadin session ?

dung5 · April 14, 2014, 8:12am

Normally, for session fixation, we can create new session or set new id for session when login success.
But how to do so with Vaadin ?
I try to both close VaadinSession or invalidate WapperSession but neither work.
Close VaadinSession didn’t create new id for our HttpSession.
Invalidate WapperSession did create new id for session but it also close VaadinSession and our screen hang. F5 and we back to login screen.
I’m also test with VaadinService.reinitializeSession() but session id didn’t change.

So which way should be correct to prevent session fixation ? Any1 can tell me ?

Johannes13 · April 14, 2014, 10:39am

VaadinService.reinitializeSession is the proper way of doing this. If you can’t get it to work, could you share a small test application demonstrating the problem?

dung5 · April 15, 2014, 2:47am

Sorry.
VaadinService.reinitializeSession working now when we try it with another computer or putting it on test server. Seem like there some problem with our computer instead.

Johannes13 · September 25, 2014, 11:28am

Hi, it seems you have some issue in your custom ErrorHandler that throws an NPE and hides the actual exception that was supposed to be handled. Could you look into that and report the stack trace and type of the original exception thrown by PushHandler?

Luca110 · October 25, 2018, 8:44am

Hello all.
We have a login page and we need to reInitialize session on clickListener method. UI is annotated with Push in manual mode.
On clickListener method we get null request using VaadinRequest.getCurrent() and VaadinService.getCurrentRequest().
I think this is caused by push mode: maybe it doesn’t generate a request? Other Vaadin applications without Push are working good.
We need Push system, so do you have any suggestion?

Vaadin version: 8.5.2
Tomcat version: 9.0

UPDATE

The main problem was a Thread started to handle login process. But after removed this, with Push enabled, we got a IllegalState exception for session already initialized.
We solved this one by start UI with Push disabled and enabling it programmatically after the login success.

Aminul · May 17, 2019, 9:20am

In my scenario I need to invoke VaadinService.reinitializeSession() inside a JavaScriptFunction I’m using a external JS library for authentication , server push is disabled in this scenario. But I’m getting java.lang.NullPointerException and it seems the the VaadinService instance is null inside that JS function, here is my sample code:

JavaScript.getCurrent().addFunction("loginSuccessCallBack", (JsonArray arguments) -> {
			myUI.access(() -> {
				VaadinService.reinitializeSession(VaadinService.getCurrentRequest());
			});
});

Any suggestion is welcome