Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.
Session fixation - How to prevent with Vaadin session ?
Normally, for session fixation, we can create new session or set new id for session when login success.
But how to do so with Vaadin ?
I try to both close VaadinSession or invalidate WapperSession but neither work.
Close VaadinSession didn't create new id for our HttpSession.
Invalidate WapperSession did create new id for session but it also close VaadinSession and our screen hang. F5 and we back to login screen.
I'm also test with VaadinService.reinitializeSession() but session id didn't change.
So which way should be correct to prevent session fixation ? Any1 can tell me ?
VaadinService.reinitializeSession is the proper way of doing this. If you can't get it to work, could you share a small test application demonstrating the problem?
VaadinService.reinitializeSession working now when we try it with another computer or putting it on test server. Seem like there some problem with our computer instead.
Hi, it seems you have some issue in your custom ErrorHandler that throws an NPE and hides the actual exception that was supposed to be handled. Could you look into that and report the stack trace and type of the original exception thrown by PushHandler?
Hello all. We have a login page and we need to reInitialize session on clickListener method. UI is annotated with Push in manual mode. On clickListener method we get null request using VaadinRequest.getCurrent() and VaadinService.getCurrentRequest(). I think this is caused by push mode: maybe it doesn't generate a request? Other Vaadin applications without Push are working good. We need Push system, so do you have any suggestion?
Vaadin version: 8.5.2 Tomcat version: 9.0
The main problem was a Thread started to handle login process. But after removed this, with Push enabled, we got a IllegalState exception for session already initialized. We solved this one by start UI with Push disabled and enabling it programmatically after the login success.
In my scenario I need to invoke
VaadinService.reinitializeSession() inside a
java.lang.NullPointerException and it seems the the
VaadinService instance is null inside that JS function, here is my sample code:
Any suggestion is welcome