tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Notifying application of session changes that happened outside of it's scope
Date Fri, 14 Mar 2014 12:37:39 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Joseph,

On 3/14/14, 5:59 AM, Joesph Bleau wrote:
> Right now we're running our application in Tomcat and using
> hazelcast to share information across our multiple instances. In an
> attempt to prevent session fixation I implemented a tomcat valve
> which invalidates sessions when a user authenticates (or in this
> case, just visits the authentication endpoints). This is causing an
> issuue where our application proper isn't getting notified of
> invalidated sessions and they're hanging around in the hazelcast
> map.

Any reason not to trust Tomcat's session-fixation prevention (which
implements session-id changing, and already works across a cluster).

> I tried everything I could to fix the session fixation problem
> within the scope of my application but no matter what I did it
> seemed like tomcat would persist a users session even after
> invalidating it, so this was my solution, and of course I face an
> equally annoying and difficult problem.
> 
> We're using tomcat7, apache 2.2 / mod_jk to load balance, spring
> 3.1, and hazelcast 2.2
> 
> Any and all advice / tips / scorn appreciated. :-) Joseph Bleau
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTIvgTAAoJEBzwKT+lPKRYrZ4P/1JoIjq6O2SMw5XGgn2E8kWC
6hG//ZnHRgFR82EVSq+lydre2yFwMeA4kf9WjtKwuNwIdaCJSK2gYBgeHyKhxtCs
Sakux63pRpRzba3RlvSlHuM30AN4+tbFrVLO/HWWCyBujI1iLppnILzi/iSsy0nK
VX+DtfeqV5BnvNJMG0G77IB9KOaft5Dm+wJ443Yv8sJPpxwbQUh+siJP5+fsqLA1
c6MISdBMTRlFGhkEuaQKVtvXxpPn9Hjiv6s16fVlYOQzX+UTMCPA5c22P74zuYm/
VPG1T46fcf7J+4P/vkdM3X/6ecaPB4bgX4t5IKCPmAoFZ5Ou7K8DbKI2OlP/iCNh
/yLmsmYdY4YSSKQiN6HnHMh03uMy4q4Ah/hgz9LkxXm1DHdC7A7YRb3rJ6ES6fls
aYl8Ekq7TNmLYAu0/92Su9qxTIA90g/ii5POe6jDP/1QlXInqB+nRJbbgIdvu1uA
sb2TC4Nb5hhVKZKKRpHIvvDCoilFhmQdgrsPWOM/+0WcFMvzHwCPYBuAk7TJv+qJ
4xZ4tb90PbDc/ZrUjEUsTWoH+lgPzn8G8guIuiK/qGOWQStsE7TNnYIZ47Cnzyrm
Yy+zQ1YHTFvaFEUeNSkNDK97JG3DJX1RMWn9ZcpgbvBJ36DeRXofTgZImotRwpv+
zR7I1gSt/gkKLH3HQl8n
=OVcJ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message