Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 34043 invoked from network); 12 Feb 2008 15:26:13 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 12 Feb 2008 15:26:13 -0000 Received: (qmail 7313 invoked by uid 500); 12 Feb 2008 15:26:05 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 7262 invoked by uid 500); 12 Feb 2008 15:26:05 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 7251 invoked by uid 99); 12 Feb 2008 15:26:05 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Feb 2008 07:26:05 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of clenggenhager@gmail.com designates 64.233.182.188 as permitted sender) Received: from [64.233.182.188] (HELO nf-out-0910.google.com) (64.233.182.188) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Feb 2008 15:25:19 +0000 Received: by nf-out-0910.google.com with SMTP id b2so1352390nfb.44 for ; Tue, 12 Feb 2008 07:25:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=FqyUgCmL1CwZwTB+iUzexs7etYFmWLcN8PrWbjUkvlQ=; b=bJS6QqCsGnVd5dJf9W0yNmXwACesOCMaYBxrV/Ps6wmXfCQj5ayyksjWSgrlxSBBhU52hl4kOpzYfJLcjF4OS5gj+ioXoe3PgZnlswKWcfjnTOpchPPPQHkVzdrFl1rStsjhwm7enC2/HSkJaJj47kTP8RO7/f51oPqJKo8xePg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=aWIs8QzWJURJyE79F27csWauR4/V51wsmvpZ1WYv3SlLnCsd2GQSdnt7osUd1+K/OcQjKyVC1TMl+cY02r35zOfWGRN5EbvO9cs3xQn4rHrIOVXpJx6a29HT4m6ET/qTSBcSMBwTTTM5NcUiiGX5Q/F2clYfpPLZoMLcM9tzqJE= Received: by 10.78.138.6 with SMTP id l6mr2640862hud.32.1202829940728; Tue, 12 Feb 2008 07:25:40 -0800 (PST) Received: by 10.78.147.15 with HTTP; Tue, 12 Feb 2008 07:25:40 -0800 (PST) Message-ID: Date: Tue, 12 Feb 2008 16:25:40 +0100 From: "Christoph Lenggenhager" To: dev@tomcat.apache.org Subject: Measures against Session Fixation MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Virus-Checked: Checked by ClamAV on apache.org Hi, I was discussing the problem of session fixation [1] on the tomcat-users list [2] and thought that it would be interesting to hear an opinion of a developer on that subject. Basically, I'd like to know what you think about a feature request/bug report that the tomcat container should take care of session fixation by automatically renew the session (or at least its id) upon a successful login. Unfortunately, the possibilities to hook into the login process (e.g. when using form-based login) are rather limited. When providing an own realm implementation, it is not possible to gain access to the current session AFAIK. What is left (and what I have done): Come up with an own valve implementation that tries to fix the problem. However, this seems a rather clumsy way to fight the problem. If you think a request would be a bad idea, how would you fight the problem? Thanks. kind regards, christoph [1]: http://www.owasp.org/index.php/Session_Fixation [2]: http://mail-archives.apache.org/mod_mbox/tomcat-users/200802.mbox/%3ca475e7310802060511h66215390m720f37dee31ad9e7@mail.gmail.com%3e --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org