tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Haberl <birnbu...@gmail.com>
Subject Session does not get invalidated when sessionCookiePath is set to "/"
Date Wed, 02 Oct 2013 21:26:57 GMT


Begin forwarded message:


Hi,

I've a context.xml like so:

<Context 
   sessionCookieDomain="acme.org"
   sessionCookieName="acme"
   useHttpOnly="true"
   disableURLRewriting="true"
/>

 <!-- disable persistent sessions -->
 <Manager pathname="" />

</Context>


I'm using Spring Security, which creates a new session after a user has been authenticated
to prevent session fixation attacks. Everything works as expected *unless* I add a     sessionCookiePath="/"
to the config above. With the cookie path set to root the following code (inside Spring Security's
SessionFixationProtectionStrategy):

HttpSession session = request.getSession();
String originalSessionId = session.getId();
...
session.invalidate();
session = request.getSession(true); // we now have a new session
…

will yield the *original* session again! I'm runnning on Tomcat 7.0.42.

Setting the cookie path to root is not necessary in my case (because I'm running the webapp
as ROOT anyhow), but is this expected behaviour?

Regards,
Stefan


--
Stefan Haberl
http://christa-und-stefan.net





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message