tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Session does not get invalidated when sessionCookiePath is set to "/"
Date Thu, 03 Oct 2013 12:40:42 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Stefan,

On 10/3/13 5:40 AM, Stefan Haberl wrote:
> I've created a minimal test case to isolate the problem. The 
> TestServlet is not doing much but invalidating sessions, generating
> new ones and checking if the new one gets a different ID than the
> old one (see attached WAR). IMHO I think this could be a Tomcat
> bug?
> 
> Steps to reproduce the problem:
> 
> 1. Install fresh Tomcat 7.0.42 2. Remove default webapps/ROOT

Is it important that the webapp run as ROOT? Or can it have another
context path?

> 3. Deploy the attached WAR including the TestCase as
> webapps/ROOT.war

This list strips attachments. Perhaps you could create a bug in
Bugzilla and attach it there? I'm not yet convinced there is a Tomcat
bug, so perhaps BZ isn't the right place quite yet. Your other option
would be to host the example webapp somewhere and post a link.

> 4. Fire up Tomcat 5. Browse to localhost:8080/TestServlet 6. Reload
> the page  ==> ERROR: No new session ID will be created
> 
> As soon as you comment out the sessionCookiePath="/" line at the 
> context descriptor inside the WAR (/META-INF/context.xml) you can
> reload the page (Step 6 above) as often as you like and new session
> IDs will be generated as they IMHO should be to prevent session
> fixation attacks.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSTWXIAAoJEBzwKT+lPKRYyskP/jhbmQ6LyT7WPGZh9iCgfDt4
+o0wuTicFKteLuWRDQAVWVoJjZ/PbcjJrUCEnbTyKVBHZbnscGX/c02bxJqkShA0
DE99rVBRiZw78LSXDnf9ZzG7s2xyEvFz5H+FMh2CvCkXL+Ihgi1OGhsq2Q3N1eyu
dGRCMCXzwNQ8V+D9mbXJP5ZxP633K+jFWbmppXm5Wo9dWMHVz343uMcf3utevbL7
20bhbqQETVRrBxnK8YsJwOi+28+nOzoj1RImyVYCANYm/xOkbUDlCTs1GRABfboC
6rSP89ttjB4KjOepmlvQgFcBsfK3cO25LaOINbI52DkqgOpYsL+CGn8ft37a6Cxi
H3WIViAqEslhDeh+fejDtAiYjiWUHErn7IaBzbuuW0ZFjecGaB7XbDTg45Az/UE1
rbQeDVS9R9/GPr5qqMBXKw8a2Pd1zk0T5FWTL8Yha9BP7OFAqdK/XWFBh+Wuhf7e
ZX7nqQZmExU+qqJMatNYBXfTf9C2PqkcxearQ0CqpxMd4iehtj2YZX4iL2MVTA+r
gXAPWzP5mp5ni4XMBiCtF9pIKx0CIBtOukEVcSrGrWzmAHLGzQDuxXiaIU84A4/q
IhdGLfIUzH7ZypEbHTO7nYe3WfyFAEUSKU+lTXqad6dugRmbwDeHSEgFPBpDW+Wt
K1GI91YXOFy9jQF/eSY+
=J9dK
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message