tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christoph Lenggenhager" <>
Subject Measures against Session Fixation
Date Tue, 12 Feb 2008 15:25:40 GMT

I was discussing the problem of session fixation [1] on the
tomcat-users list [2] and thought that it would be interesting to hear
an opinion of a developer on that subject.

Basically, I'd like to know what you think about a feature request/bug
report that the tomcat container should take care of session fixation
by automatically renew the session (or at least its id) upon a
successful login.

Unfortunately, the possibilities to hook into the login process (e.g.
when using form-based login) are rather limited.
When providing an own realm implementation, it is not possible to gain
access to the current session AFAIK.

What is left (and what I have done): Come up with an own valve
implementation that tries to fix the problem. However, this seems a
rather clumsy way to fight the problem.

If you think a request would be a bad idea, how would you fight the problem?


kind regards,


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message