I am trying to figure out how to prevent Session Fixation on an JSF login form in Glassfish 3.1. It was easy to do with Servlets, so I am trying to do the same with JSF (based on this question: Retrieving session ID value from a JSF request):
FacesContext fCtx = FacesContext.getCurrentInstance();
HttpSession session = (HttpSession) fCtx.getExternalContext().getSession(false);
session.invalidate();
fCtx.getExternalContext().getSession(true);
It seems to work, but when I click the browser's back button and re-enter login details I get:
javax.faces.application.ViewExpiredException: viewId:/index.xhtml - View /index.xhtml could not be restored.
It works again only after "refresh" and resend.
What could be the reason for that?