tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From umeshkavade <>
Subject Re: Form Based Authentication creates user session before it is authenticated?
Date Wed, 13 May 2009 04:35:58 GMT

>No, you'd have to write your own authentication mechanism. Tomcat is
>required to store the request that triggered authentication for re-play
>after a successful authentication. If not the request, where else should
>it be stored?

Christopher, thanks for the reply.

This is inline with my analysis.

Actually, I am trying to address 'Session Fixation' issue in my web
application. I saw your reply on thread

In one of the reply you gave following suggestion to address the issue:

- a custom valve contains the whole implementation 
- requests to the servlet/URI "j_security_check" are intercepted 
- for intercepted requests the current session is destroyed 
  and a new one is created: 

  -- snip -- 
  -- snap -- 

- to have a proper redirect to the originally requested page 
  the original request has to be copied from the old session 
  to the new one. 
  I filter out any references to the old session id, although I'm 
  not sure whether this is really necessary. 

I think, this would solve my problem. The only blocker for me is step:
"requests to the servlet/URI "j_security_check" are intercepted". I did not
get good info on google which would teach me how I can do this.

Pointers on this would be of great help.


P.S: BTW, is Tomcat planning to resolve this vulnerability in near future?

View this message in context:
Sent from the Tomcat - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message