tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pavel Arnošt <>
Subject How to initiate session id change from application code?
Date Wed, 27 Jun 2012 22:11:32 GMT

can I force Tomcat to change session id from my application code? I
know that in Tomcat7 there is a "changeSessionIdOnAuthentication"
attribute that can be used with container managed security, but how
can I protect my application from session fixation attacks if I don't
use container managed security? Invalidating session, creating new
session and copying session attributes is expensive and does't work
with some libraries,  e.g. OpenWebBeans store session objects to
HttpSession only before passivation for performance reasons.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message