tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bradford <fingerm...@gmail.com>
Subject Re: session fixation bug fix - questions
Date Thu, 10 Mar 2011 18:41:12 GMT
Thanks, Mark.  What type of authentication are you referring to?  Are
you talking about the first time they access the Tomcat server?  Or
some sort of authentication I control in my application code?

I would like to use this feature.  Should I just turn it on and see
what happens?  Is there a test I should do to make sure things are
working fine within my app?

Thanks,
Bradford

On Thu, Mar 10, 2011 at 1:36 PM, Mark Thomas <markt@apache.org> wrote:
> On 10/03/2011 18:03, bradford wrote:
>> I see that a session fixation fix [1] was backported into 5.5.29, but
>> is disabled by default.
>>
>> 1) Why is this disabled by default?
>
> Because things may blow up. Apps should handle this but...
>
>> 2) Can I just turn it on and have all my problems solved?  Or could
>> things blow up?
>
> See above.
>
>> 3) What is the authentication step the bug fix is referring to?
>
> When a user authenticates, the session ID is changed.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message