tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Notifying application of session changes that happened outside of it's scope
Date Fri, 14 Mar 2014 18:43:15 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Konstantin,

On 3/14/14, 11:28 AM, Konstantin Kolinko wrote:
> 2014-03-14 19:04 GMT+04:00 Christopher Schultz
> <chris@christopherschultz.net>:
>> Joseph,
>> 
>> On 3/14/14, 9:49 AM, Joesph Bleau wrote:
>>> I should also mention that after some very simple testing I
>>> was able to confirm that (of course) Tomcat is notifying my
>>> application when the session is invalidated in a valve. I'm
>>> still fairly new to this entire stack, so forgive my ignorance.
>>> :-)
>> 
>> No problem. Tomcat does in fact change the session id, but only 
>> *after* a successful authentication (but before the session is
>> blessed with authentication information). I believe you said
>> something about changing the session id when the user accesses
>> the login page -- regardless of whether the authentication
>> attempt is successful. Tomcat doesn't do that.
> 
> Tomcat does that.
> 
> For FORM authentication the session id is changed twice. This
> security feature is CVE-2013-2067.

Thanks for the clarification. I didn't know that Tomcat did a
double-id-change. Just because you're paranoid doesn't mean they
aren't watching you.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTI03AAAoJEBzwKT+lPKRYphEP/3uedBe7PQYNLZatALVYAb3q
Yd4BjzXrG5VtgC+lySsT0JM5199j/kzQo+eb+P/SQFcBmElJahq/xd/srGEXXTHb
/fO20+Pu9uz2ZRzWo8bXxcZg3kdGGYKflyuKpiwAk7tMkAqUWuOL+b31JF2Rz+2P
u6xD+SHF8wLTqN012/l7R3aTI4ZdIwgeSpRVgL6ojU2hobA+99A14jDIBmjaWW9/
wyylFTSuzTKzCFcvo5+gylf5+MS2MKyhL/9GWAz5Ae+Vc6mANzjulJyGNfPVRpdc
RdX6AC8EHAQYjlnvqWHiXjMb6jRri0v9QDyXTrPd4TtGU/ofpnoKLutACa/9nj+J
+juUI4b8YlcHTSMt4WLTmiJEZXjR7qiULD7AEkpVZEHEChzYlcqx9ORbOgNRViNN
3Xz98G2zdlZccZndG2eaKsOzXwUYyjwvWiIddbclT7GcDKwFZ4E/jxEUI/snxCAs
t60eYaTlptIBQ6LYuvFIJY8nWBFwpcG4GW2Ulwbt3NXtlwgy0MPVKuk8lXmyyauM
4IM4keiQdBjB8e4PSNuJ06yk70rjLcjb4kUgCLklqZ1V9y5vRb+MngCrKbJTc1XK
AsPgjOZPGuizZp6nKkZv0zuPnmCYgM8VPynuVE+Nd+REdwcLCWYHk70aKvkg+axj
JNceTVGfXDKdxtUHvvJr
=r6br
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message