tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christoph Lenggenhager" <clenggenha...@gmail.com>
Subject Re: How to avoid session fixation?
Date Fri, 08 Feb 2008 09:49:06 GMT
David, Christopher

Thank you for sharing your thoughts.

It seems to me that there is no standard solution to this problem, but you
agree with me that the problem exists.

As I mentioned before, I came up with a solution that looks promising.

Here's a rough description, I'd welcome your opinions/concerns:

- a custom valve contains the whole implementation
- requests to the servlet/URI "j_security_check" are intercepted
- for intercepted requests the current session is destroyed
  and a new one is created:

  -- snip --
  ...
  request.getSession().invalidate();
  request.getSession(true);
  ...
  -- snap --

- to have a proper redirect to the originally requested page
  the original request has to be copied from the old session
  to the new one.
  I filter out any references to the old session id, although I'm
  not sure whether this is really necessary.

Well, first of all, I'm in the comfortable situation that I'm not interested
in any session attributes that existed before the actual login, so
this make things easier.
Furthermore, it's clearly a homemade hack, but it seems to do the job.


Do you think it's worth to open a bug/feature request concerning this
issue? For I actually think
that this is clearly a task the container should take care of.

Thanks.

regards,
christoph

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message