tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joesph Bleau <jbl...@systemsinmotion.com>
Subject Re: Notifying application of session changes that happened outside of it's scope
Date Fri, 14 Mar 2014 16:33:16 GMT
Would anybody be surprised if I mentioned that we're running an outdated of
tomcat? Thanks for the tip. I'm going to remove Spring's session fixation
prevention strategy, and also remove the custom valve I had written and
upgrade to a version unaffected by this and test. This is going to
alleviate a lot of headache (well, until I tell our managers that we need
to upgrade Tomcat as a part of our next deploy... :P)


On Fri, Mar 14, 2014 at 11:28 AM, Konstantin Kolinko <knst.kolinko@gmail.com
> wrote:

> 2014-03-14 19:04 GMT+04:00 Christopher Schultz <
> chris@christopherschultz.net>:
> > Joseph,
> >
> > On 3/14/14, 9:49 AM, Joesph Bleau wrote:
> >> I should also mention that after some very simple testing I was
> >> able to confirm that (of course) Tomcat is notifying my application
> >> when the session is invalidated in a valve. I'm still fairly new to
> >> this entire stack, so forgive my ignorance. :-)
> >
> > No problem. Tomcat does in fact change the session id, but only
> > *after* a successful authentication (but before the session is blessed
> > with authentication information). I believe you said something about
> > changing the session id when the user accesses the login page --
> > regardless of whether the authentication attempt is successful. Tomcat
> > doesn't do that.
>
> Tomcat does that.
>
> For FORM authentication the session id is changed twice. This security
> feature is CVE-2013-2067.
>
> > Mark does a good job describing the whole situation here:
> > http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection
> >
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message