I'm developing an application in Java which seems to have a session hijacking vulnerability.

In order to prevent this, the recommendation is to change the JSESSIONID for a user after log in

My application is based on Struts 2.0 and Tomcat 7 and I have implemented a code to change the JSESSIONID after the user logs in.

However I am facing the following problem while running the code.

java.lang.IllegalStateException: setAttribute: Session already invalidated
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1289)
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1254)
at org.apache.catalina.session.StandardSessionFacade.setAttribute          (StandardSessionFacade.java:130)
at org.apache.struts2.dispatcher.SessionMap.put(SessionMap.java:181)

Here is the code that I wrote :

HttpSession httpSession = ServletActionContext.getRequest().getSession();
HashMap<String, Object> attributes = new HashMap<String, Object>(); 
Enumeration<String> enames = httpSession.getAttributeNames();
while ( enames.hasMoreElements() )
{
String name = enames.nextElement();   
if ( !name.equals( "JSESSIONID" ) )
{ 
attributes.put( name, httpSession .getAttribute( name ) );
}      
}   
httpSession.invalidate();       
httpSession = request.getSession(true);                     
for ( Map.Entry<String, Object> et : attributes.entrySet() )
{
userInfoMap.put( et.getKey(), et.getValue() );
}   
getSession().put("userid",userId);//Setting value to session

Usually when you invalidate the session you should redirect to some action, so the new session map will injected to it if the action implement SessionAware.

But in the code you posted you are trying to reuse the session map while it contains an old session.