tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Notifying application of session changes that happened outside of it's scope
Date Fri, 14 Mar 2014 15:04:19 GMT
Hash: SHA256


On 3/14/14, 9:49 AM, Joesph Bleau wrote:
> I should also mention that after some very simple testing I was
> able to confirm that (of course) Tomcat is notifying my application
> when the session is invalidated in a valve. I'm still fairly new to
> this entire stack, so forgive my ignorance. :-)

No problem. Tomcat does in fact change the session id, but only
*after* a successful authentication (but before the session is blessed
with authentication information). I believe you said something about
changing the session id when the user accesses the login page --
regardless of whether the authentication attempt is successful. Tomcat
doesn't do that.

Mark does a good job describing the whole situation here:

- -chris

> On Fri, Mar 14, 2014 at 9:46 AM, Joesph Bleau
> <>wrote:
>> It's possible (read: likely) that we're doing something
>> incorrectly, but we're using Spring and it was already attempting
>> to provide session fixation within the application by
>> invalidating sessions upon authentication. However, it appears
>> that tomcat was providing us with the same session ID for our new
>> session. I've scoured the internet and I've seen that I'm not the
>> first person to have this problem, but there was no definitive
>> solution available. I ultimately settled on invalidating the 
>> session in the valve which appeared to work, tomcat didn't
>> provide the same ID here.
>> On Fri, Mar 14, 2014 at 8:37 AM, Christopher Schultz < 
>>> wrote:
> Joseph,
> On 3/14/14, 5:59 AM, Joesph Bleau wrote:
>>>>> Right now we're running our application in Tomcat and
>>>>> using hazelcast to share information across our multiple
>>>>> instances. In an attempt to prevent session fixation I
>>>>> implemented a tomcat valve which invalidates sessions when
>>>>> a user authenticates (or in this case, just visits the
>>>>> authentication endpoints). This is causing an issuue where
>>>>> our application proper isn't getting notified of 
>>>>> invalidated sessions and they're hanging around in the
>>>>> hazelcast map.
> Any reason not to trust Tomcat's session-fixation prevention
> (which implements session-id changing, and already works across a
> cluster).
>>>>> I tried everything I could to fix the session fixation
>>>>> problem within the scope of my application but no matter
>>>>> what I did it seemed like tomcat would persist a users
>>>>> session even after invalidating it, so this was my
>>>>> solution, and of course I face an equally annoying and
>>>>> difficult problem.
>>>>> We're using tomcat7, apache 2.2 / mod_jk to load balance,
>>>>> spring 3.1, and hazelcast 2.2
>>>>> Any and all advice / tips / scorn appreciated. :-) Joseph
>>>>> Bleau
>>> ---------------------------------------------------------------------
To unsubscribe, e-mail:
>>> For additional commands, e-mail:
Version: GnuPG v1
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message