tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Tomcat 6.0.24 requires me to log on twice
Date Fri, 09 Apr 2010 07:06:16 GMT
On 08/04/2010 23:34, Christopher Schultz wrote:
>> This happens on Tomcat 6.0.24 and 6.0.26, but not 6.0.20, which makes me
>> think it is related to change 45255 (Provide protection against session
>> fixation by changing session ID automatically on authentication.), in
>> the dev environment tomcat is running on windows XP. Session tracking is
>> done by cookie, not URL rewriting.
>
> I haven't read the actual patch that added this session-id switching but
> it's not clear if it's configurable. Mark said he'd likely make this an
> option that defaults to "off".

Security trumped compatibility in this case and it defaults to on. 
Nothing stopping you turning it off though.

I'd note that apps that have issues with this behaviour are likely to 
have issues with load-balancing, sticky sessions and fail-over as 
exactly the same code is used to change the session ID on fail-over.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message