tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joesph Bleau <jbl...@systemsinmotion.com>
Subject Re: Notifying application of session changes that happened outside of it's scope
Date Fri, 14 Mar 2014 13:49:52 GMT
I should also mention that after some very simple testing I was able to
confirm that (of course) Tomcat is notifying my application when the
session is invalidated in a valve. I'm still fairly new to this entire
stack, so forgive my ignorance. :-)

Cheers.


On Fri, Mar 14, 2014 at 9:46 AM, Joesph Bleau <jbleau@systemsinmotion.com>wrote:

> It's possible (read: likely) that we're doing something incorrectly, but
> we're using Spring and it was already attempting to provide session
> fixation within the application by invalidating sessions upon
> authentication. However, it appears that tomcat was providing us with the
> same session ID for our new session. I've scoured the internet and I've
> seen that I'm not the first person to have this problem, but there was no
> definitive solution available. I ultimately settled on invalidating the
> session in the valve which appeared to work, tomcat didn't provide the same
> ID here.
>
>
> On Fri, Mar 14, 2014 at 8:37 AM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Joseph,
>>
>> On 3/14/14, 5:59 AM, Joesph Bleau wrote:
>> > Right now we're running our application in Tomcat and using
>> > hazelcast to share information across our multiple instances. In an
>> > attempt to prevent session fixation I implemented a tomcat valve
>> > which invalidates sessions when a user authenticates (or in this
>> > case, just visits the authentication endpoints). This is causing an
>> > issuue where our application proper isn't getting notified of
>> > invalidated sessions and they're hanging around in the hazelcast
>> > map.
>>
>> Any reason not to trust Tomcat's session-fixation prevention (which
>> implements session-id changing, and already works across a cluster).
>>
>> > I tried everything I could to fix the session fixation problem
>> > within the scope of my application but no matter what I did it
>> > seemed like tomcat would persist a users session even after
>> > invalidating it, so this was my solution, and of course I face an
>> > equally annoying and difficult problem.
>> >
>> > We're using tomcat7, apache 2.2 / mod_jk to load balance, spring
>> > 3.1, and hazelcast 2.2
>> >
>> > Any and all advice / tips / scorn appreciated. :-) Joseph Bleau
>> >
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCAAGBQJTIvgTAAoJEBzwKT+lPKRYrZ4P/1JoIjq6O2SMw5XGgn2E8kWC
>> 6hG//ZnHRgFR82EVSq+lydre2yFwMeA4kf9WjtKwuNwIdaCJSK2gYBgeHyKhxtCs
>> Sakux63pRpRzba3RlvSlHuM30AN4+tbFrVLO/HWWCyBujI1iLppnILzi/iSsy0nK
>> VX+DtfeqV5BnvNJMG0G77IB9KOaft5Dm+wJ443Yv8sJPpxwbQUh+siJP5+fsqLA1
>> c6MISdBMTRlFGhkEuaQKVtvXxpPn9Hjiv6s16fVlYOQzX+UTMCPA5c22P74zuYm/
>> VPG1T46fcf7J+4P/vkdM3X/6ecaPB4bgX4t5IKCPmAoFZ5Ou7K8DbKI2OlP/iCNh
>> /yLmsmYdY4YSSKQiN6HnHMh03uMy4q4Ah/hgz9LkxXm1DHdC7A7YRb3rJ6ES6fls
>> aYl8Ekq7TNmLYAu0/92Su9qxTIA90g/ii5POe6jDP/1QlXInqB+nRJbbgIdvu1uA
>> sb2TC4Nb5hhVKZKKRpHIvvDCoilFhmQdgrsPWOM/+0WcFMvzHwCPYBuAk7TJv+qJ
>> 4xZ4tb90PbDc/ZrUjEUsTWoH+lgPzn8G8guIuiK/qGOWQStsE7TNnYIZ47Cnzyrm
>> Yy+zQ1YHTFvaFEUeNSkNDK97JG3DJX1RMWn9ZcpgbvBJ36DeRXofTgZImotRwpv+
>> zR7I1gSt/gkKLH3HQl8n
>> =OVcJ
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message