Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 370385

Summary: Implement support for CSRF prevention
Product: [RT] Jetty Reporter: Jan Bartel <janb>
Component: serverAssignee: Jan Bartel <janb>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: jetty-inbox
Version: 7.6.0   
Target Milestone: 7.5.x   
Hardware: PC   
OS: Linux   
Whiteboard:

Description Jan Bartel CLA 2012-02-01 20:39:57 EST 
Implement ability to change session id on authentication.
Comment 1 Jan Bartel CLA 2012-02-06 01:54:23 EST 
This code is already in place in jetty, and has been for some time.

CSRF protection is in fact enabled by default. To turn it off, call SecurityHandler.setSessionRenewedOnAuthentication(false);

I will leave this issue open, as we are working on changing the mechanism in anticipation of Servlet Spec 3.1 incorporating formal support for CSRF. As part of the changes, we will replace the code that changes the session id by destroying and creating a new session and copying its data over, to code which merely replaces the sessionid on the existing session.
Comment 2 Jan Bartel CLA 2012-02-08 16:17:57 EST 
See new renewSessionId branch in git for work on new mechanism.
Comment 3 Jan Bartel CLA 2013-08-23 03:03:31 EDT 
Servlet 3.1 Request.changeSessionId() implemented some time ago in jetty-9.1 and impl changed to only change session id, not session object.

Jan