tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: How to avoid session fixation?
Date Mon, 11 Feb 2008 20:32:47 GMT
Hash: SHA1


David Delbecq wrote:
| I think this is worth submitting a security issue request on tracker,
| to ask that, at least, the container links the requester IP to the
| session.

I'm pretty sure that nobody will want to do this -- at least not without
the ability to turn the feature off. You'll break a lot of users if you
require session id <-> ip address matching.

| Changing session ID upon login in container would be a good thing
| imho, it would ensure ID become unknown to attacker after login,
| wouldn't destroy user session (keep session, only change it's
| identifier) and would work whatever authentication mechanism is used.
I completely agree. Christopher, I think your valve might be more
attractive if it was able to change the id of the session and leave it
at that. I'm not familiar enough with the Tomcat API to know if this is
possible and/or a good idea.

| Draw back is that webapp that rely on session id for some session
| tracking mechanism would break.

True, although most webapps probably use whatever session id is
currently in use. If you did a lot of AJAX where the session id
available to the page becomes out-of-date after a login, you will have
to make special considerations for that. I think you'll find that this
is not much of a problem.

- -chris
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message