tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: Notifying application of session changes that happened outside of it's scope
Date Fri, 14 Mar 2014 15:28:10 GMT
2014-03-14 19:04 GMT+04:00 Christopher Schultz <>:
> Joseph,
> On 3/14/14, 9:49 AM, Joesph Bleau wrote:
>> I should also mention that after some very simple testing I was
>> able to confirm that (of course) Tomcat is notifying my application
>> when the session is invalidated in a valve. I'm still fairly new to
>> this entire stack, so forgive my ignorance. :-)
> No problem. Tomcat does in fact change the session id, but only
> *after* a successful authentication (but before the session is blessed
> with authentication information). I believe you said something about
> changing the session id when the user accesses the login page --
> regardless of whether the authentication attempt is successful. Tomcat
> doesn't do that.

Tomcat does that.

For FORM authentication the session id is changed twice. This security
feature is CVE-2013-2067.

> Mark does a good job describing the whole situation here:

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message