tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51631] New: Bug in the Session Fixation Protection Feature
Date Mon, 08 Aug 2011 09:46:21 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51631

             Bug #: 51631
           Summary: Bug in the Session Fixation Protection Feature
           Product: Tomcat 7
           Version: 7.0.12
          Platform: PC
            Status: NEW
          Severity: major
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: michael_furman@hotmail.com
    Classification: Unclassified


Created attachment 27359
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=27359
The AuthenticatorBase.java file with fix

Bug in the Session Fixation Protection Feature
The Session Fixation Protection feature was added to Apache Tomcat 7 and Apache
Tomcat 6.
The feature can be problematic if an application does not use Form
Authenticator and in addition the application creates a session.
In this case the session will not be created by an authenticator and upon the
next request the session fixation protection feature in the authenticator will
recreate the session. The problem, that the application can lose its state.
How to fix the bug?
Please find attached patch for Apache Tomcat 7 
The fix will allow to authenticator to create a session upon the authentication
and the application will not require to create a session.
Tomcat 7 already has variable alwaysUseSession, but unfortunately it is not
possible to configure it.
BTW, I think that better name for the variable is enforceSessionCreation
When it will be released, it will be required to configure context of your
application (not the main context $CATALINA_BASE/conf/context.xml)
<Context>
  <Valve className="org.apache.catalina.authenticator.BasicAuthenticator"
alwaysUseSession="true"/>  
</Context>

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message