tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Haberl <birnbu...@gmail.com>
Subject Re: Session does not get invalidated when sessionCookiePath is set to "/"
Date Thu, 03 Oct 2013 09:40:25 GMT
Hi all,

I've created a minimal test case to isolate the problem. The TestServlet is not doing much
but invalidating sessions, generating new ones and checking if the new one gets a different
ID than the old one (see attached WAR). IMHO I think this could be a Tomcat bug?

Steps to reproduce the problem:

1. Install fresh Tomcat 7.0.42
2. Remove default webapps/ROOT
3. Deploy the attached WAR including the TestCase as webapps/ROOT.war
4. Fire up Tomcat
5. Browse to localhost:8080/TestServlet
6. Reload the page  ==> ERROR: No new session ID will be created

As soon as you comment out the sessionCookiePath="/" line at the context descriptor inside
the WAR (/META-INF/context.xml) you can reload the page (Step 6 above) as often as you like
and new session IDs will be generated as they IMHO should be to prevent session fixation attacks.

Anyone any thoughts on this?

Stefan


Mime
View raw message