tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Haberl <>
Subject Re: Session does not get invalidated when sessionCookiePath is set to "/"
Date Thu, 03 Oct 2013 09:40:25 GMT
Hi all,

I've created a minimal test case to isolate the problem. The TestServlet is not doing much
but invalidating sessions, generating new ones and checking if the new one gets a different
ID than the old one (see attached WAR). IMHO I think this could be a Tomcat bug?

Steps to reproduce the problem:

1. Install fresh Tomcat 7.0.42
2. Remove default webapps/ROOT
3. Deploy the attached WAR including the TestCase as webapps/ROOT.war
4. Fire up Tomcat
5. Browse to localhost:8080/TestServlet
6. Reload the page  ==> ERROR: No new session ID will be created

As soon as you comment out the sessionCookiePath="/" line at the context descriptor inside
the WAR (/META-INF/context.xml) you can reload the page (Step 6 above) as often as you like
and new session IDs will be generated as they IMHO should be to prevent session fixation attacks.

Anyone any thoughts on this?


View raw message