tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christoph Lenggenhager" <>
Subject How to avoid session fixation?
Date Wed, 06 Feb 2008 13:11:44 GMT
Dear all,

I'm currently trying to find a way to fight "Session Fixation"
( in tomcat when using
the built -in mechanisms to authenticate users of a servlet. In the
environment in question, an own realm implementation is in place and
we use the SingleSignOn feature as well.

I've asked google and also looked through this list, but I couldn't
find anything on the subject.

So, my question is: Has anyone out there successfully solved this
problem and has a solution that integrates neatly with the standard
authentication mechanisms tomcat provides?

Or is it in fact not a problem at all?

A common solution to fix the problem is to renew the session (or at
least it's id) right before/after the user is authenticated (i.e. in
the same request). I came up with a custom valve that kind of does the
job, but I'm really not sure whether this is the way to go or if I'm
messing too much with tomcat internals.

Thanks for any help.

Kind regards,

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message