tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christoph Lenggenhager" <clenggenha...@gmail.com>
Subject Measures against Session Fixation
Date Tue, 12 Feb 2008 15:25:40 GMT
Hi,

I was discussing the problem of session fixation [1] on the
tomcat-users list [2] and thought that it would be interesting to hear
an opinion of a developer on that subject.

Basically, I'd like to know what you think about a feature request/bug
report that the tomcat container should take care of session fixation
by automatically renew the session (or at least its id) upon a
successful login.

Unfortunately, the possibilities to hook into the login process (e.g.
when using form-based login) are rather limited.
When providing an own realm implementation, it is not possible to gain
access to the current session AFAIK.

What is left (and what I have done): Come up with an own valve
implementation that tries to fix the problem. However, this seems a
rather clumsy way to fight the problem.

If you think a request would be a bad idea, how would you fight the problem?

Thanks.

kind regards,
christoph


[1]: http://www.owasp.org/index.php/Session_Fixation
[2]: http://mail-archives.apache.org/mod_mbox/tomcat-users/200802.mbox/%3ca475e7310802060511h66215390m720f37dee31ad9e7@mail.gmail.com%3e

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message