tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Session Invalidate not working on HTTPS ( Tomcat 6.0.29 )
Date Tue, 30 Nov 2010 15:03:24 GMT
2010/11/30 Andrea Corti <ilgrandemazinger@gmail.com>:
> Hi, i discovered that (perhaps) the problem raise in the following rows in
> the Request class:
>
>        // Attempt to reuse session id if one was submitted in a cookie
>        // Do not reuse the session id if it is from a URL, to prevent
> possible
>        // phishing attacks
>        if (connector.getEmptySessionPath()
>                && isRequestedSessionIdFromCookie()) {
>            session = manager.createSession(getRequestedSessionId());
>        } else {
>            session = manager.createSession(null);
>        }
>
> I have an empty sessionpath =true and the sessionid is stored in the
> jsessionid cookie so the code goes in the first if reusing the sessionid.
> I don't understand very well the comment in the code where it says "Attempt
> to reuse session id if one was submitted in a cookie"; is there any reason
> for this?
> Is it correct to comment this if statement in order to always call the
> createSession(null) or is there another way in order to workaround this?
>
> Thanks in advance.
>

That will mean that every web application will use its unique value of
sessionid. Thus you can never share sessionid between them.

Effectively, that is not far away from just setting emptySessionPath="false".

http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#Common_Attributes

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message