tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrea Corti <ilgrandemazin...@gmail.com>
Subject Re: Session Invalidate not working on HTTPS ( Tomcat 6.0.29 )
Date Tue, 30 Nov 2010 09:58:20 GMT
2010/11/29 Christopher Schultz <chris@christopherschultz.net>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Andrea,
>
> On 11/29/2010 9:37 AM, Andrea Corti wrote:
> > In order to avoid session fixation in the login phase of our application
> > we have to invalidate the session.
>
> As you may have noted, Tomcat has implemented this behavior and you
> shouldn't have to worry about it.
>
> > But we found the issue reported in the following bug (marked as solved)
> > related to Tomcat &.0.28:
> >
> > https://issues.apache.org/bugzilla/show_bug.cgi?id=49598
>
> That would be the one.
>
> > I'm using tomcat 6.0.29 (under win XP and linux CentOS)  where the issue
> is
> > marked as resolved but i can replicate it every time.
>
> Okay, how are you replicating it and what are your results?
>
> > If it can be helpful i'm in a servlet in an https connection (without any
> > framework or similar).
> > I discovered that on http call the session is correctly renewed but on
> https
> > it is not.
>
> Interesting.
>
> > Follows an extract form a test servlet:
> >         HttpSession s = req.getSession();
> >         if (s==null) {
> >             System.out.println(mt+":Session is null");
> >         } else {
> >             System.out.println(mt+":Session id="+s.getId()+"\t
> > New="+s.isNew());
> >         }
> >         System.out.println("pre- invalidate");
> >         s.invalidate();
> >         System.out.println("post- invalidate: id="+s.getId());
> >         s = req.getSession(true);
> >         System.out.println("post- get new: id="+s.getId());
>
> Okay, what does the above servlet print when you access it via HTTP, and
> then access it via HTTPS?
>

HTTP Output:
POST:Session id=F5FAF6115F7BA37ECDA22299C9B3B4BC     New=true
pre- invalidate
sessionDestroyed [F5FAF6115F7BA37ECDA22299C9B3B4BC] <-- this log is printed
by a HttpSessionListener
post- invalidate: id=F5FAF6115F7BA37ECDA22299C9B3B4BC
sessionCreated [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is printed by
a HttpSessionListener
post- get new: id=36BA1CCC7AEC8A9808027D57B6A5A52A

We can notice that the session id after the GetSession(true) is different
from the previous one.

HTTPS Output:
POST:Session id=36BA1CCC7AEC8A9808027D57B6A5A52A     New=false
pre- invalidate
sessionDestroyed [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is printed
by a HttpSessionListener
post- invalidate: id=36BA1CCC7AEC8A9808027D57B6A5A52A
sessionCreated [36BA1CCC7AEC8A9808027D57B6A5A52A] <-- this log is printed by
a HttpSessionListener
post- get new: id=36BA1CCC7AEC8A9808027D57B6A5A52A

In this case the session id is always the same!

Can someone suggest a way to avoid such issue? I saw that between release 28
and 29 the following class has been changed but i'm not able to debug it.
java\org\apache\catalina\connector\Response.java (method
addSessionCookieInternal)

Thanks.

Andrea












> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkzz210ACgkQ9CaO5/Lv0PA0gACeOXNvdinscHW4m2zogNdFrYA3
> qbcAnjrtZAJyjJIh/Hhq77B1ClkVnLdG
> =maAw
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message