0

I have written one filter which should create a new session after login to fix session fixation. This should be called only when user logins into the system:

//variables public class GenerteNewSessionFilter implements Filter { public static final String NEW_SESSION_INDICATOR = "cab"; // destroy public void destroy() { // TODO Auto-generated method stub } @SuppressWarnings({ "unchecked", "rawtypes" }) public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) request; if (httpRequest.getSession(false) != null && httpRequest.getSession(false).getAttribute(NEW_SESSION_INDICATOR) != null) { // copy session attributes from new session to a map. HttpSession session = httpRequest.getSession(); // HashMap old = new HashMap(); HashMap<String, Object> old = new HashMap<String, Object>(); Enumeration keys = (Enumeration) session.getAttributeNames(); while (keys.hasMoreElements()) { String key = (String) keys.nextElement(); if (!NEW_SESSION_INDICATOR.equals(key)) { old.put(key, session.getAttribute(key)); session.removeAttribute(key); } } // invalidation session and create new session. session.invalidate(); session = httpRequest.getSession(true); // copy key value pairs from map to new session. for (Map.Entry entry : old.entrySet()) { session.setAttribute((String) entry.getKey(), entry.getValue()); } } } // initiatiliazion public void init(FilterConfig filterConfig) throws ServletException { } }

But i want to execute it only once when user login into the application please guide me how can i achieve it.

Thanks.

Improve this question
1
  • What if you put that code in the place handling the user's POSTing of credentials? Basically, invalidate the session once you verify that the user is who you think they are. Commented Aug 29, 2014 at 23:26

1 Answer 1

Reset to default
1

You can apply a filter to specific servlet. So apply it only to your servlet that handle your LoginAction, in this way it will only execute if the user login.

In your web.xml just change filter path.
Change your <url-pattern> to the same path of your servlet.

<filter> <display-name>SessionFilter</display-name> <filter-name>SessionFilter</filter-name> <filter-class>com.session.SessionFilter</filter-class> </filter> <filter-mapping> <filter-name>NewSessionFilter</filter-name> <url-pattern>/your/path/LoginAction</url-pattern> </filter-mapping>

Or use <servlet-name> rather than <url-pattern>

<filter-mapping> <filter-name>SessionFilter</filter-name> <servlet-name>LoginAction</servlet-name> </filter-mapping>

Note you can also apply <ulr-pattern> to your jsp.
<url-pattern>/your/path/login.jsp</url-pattern>

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

There is no servlet in this application all for login we have loginsubmit.jsp
how do you check login? what do you use when accessing a database to check if a user is existing or not? And also you have tag servlets.
when user submits the login.jsp it redirects user to userloginsubmt.jsp within this jsp we have called java methods for accessing db and for validations .
don't access a db within your page, anyway I edited my answer. You can apply filter to a specific jsp that you want.
I have created above filter with some modifications i am now able to invalidate old session and create new session and copy old session data.please help me how i can call this filter only in case of successfull login or guest login or register user.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.