tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Notifying application of session changes that happened outside of it's scope
Date Fri, 14 Mar 2014 15:28:10 GMT
2014-03-14 19:04 GMT+04:00 Christopher Schultz <chris@christopherschultz.net>:
> Joseph,
>
> On 3/14/14, 9:49 AM, Joesph Bleau wrote:
>> I should also mention that after some very simple testing I was
>> able to confirm that (of course) Tomcat is notifying my application
>> when the session is invalidated in a valve. I'm still fairly new to
>> this entire stack, so forgive my ignorance. :-)
>
> No problem. Tomcat does in fact change the session id, but only
> *after* a successful authentication (but before the session is blessed
> with authentication information). I believe you said something about
> changing the session id when the user accesses the login page --
> regardless of whether the authentication attempt is successful. Tomcat
> doesn't do that.

Tomcat does that.

For FORM authentication the session id is changed twice. This security
feature is CVE-2013-2067.

> Mark does a good job describing the whole situation here:
> http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection
>

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message