tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrea Corti <ilgrandemazin...@gmail.com>
Subject Session Invalidate not working on HTTPS ( Tomcat 6.0.29 )
Date Mon, 29 Nov 2010 14:37:44 GMT
Hi,
   in order to avoid session fixation in the login phase of our application
we have to invalidate the session.
But we found the issue reported in the following bug (marked as solved)
related to Tomcat &.0.28:

https://issues.apache.org/bugzilla/show_bug.cgi?id=49598


I'm using tomcat 6.0.29 (under win XP and linux CentOS)  where the issue is
marked as resolved but i can replicate it every time.

If it can be helpful i'm in a servlet in an https connection (without any
framework or similar).
I discovered that on http call the session is correctly renewed but on https
it is not.

Does there exist any way to avoid such issue?

I made the mistake to post it on bugzilla before posting here, sorry.

Follows an extract form a test servlet:
"        HttpSession s = req.getSession();
        if (s==null) {
            System.out.println(mt+":Session is null");
        } else {
            System.out.println(mt+":Session id="+s.getId()+"\t
New="+s.isNew());
        }
        System.out.println("pre- invalidate");
        s.invalidate();
        System.out.println("post- invalidate: id="+s.getId());
        s = req.getSession(true);
        System.out.println("post- get new: id="+s.getId());
"



Thanks very much .

BR,
  Andrea

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message