tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joesph Bleau <jbl...@systemsinmotion.com>
Subject Re: Notifying application of session changes that happened outside of it's scope
Date Fri, 14 Mar 2014 13:46:05 GMT
It's possible (read: likely) that we're doing something incorrectly, but
we're using Spring and it was already attempting to provide session
fixation within the application by invalidating sessions upon
authentication. However, it appears that tomcat was providing us with the
same session ID for our new session. I've scoured the internet and I've
seen that I'm not the first person to have this problem, but there was no
definitive solution available. I ultimately settled on invalidating the
session in the valve which appeared to work, tomcat didn't provide the same
ID here.


On Fri, Mar 14, 2014 at 8:37 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Joseph,
>
> On 3/14/14, 5:59 AM, Joesph Bleau wrote:
> > Right now we're running our application in Tomcat and using
> > hazelcast to share information across our multiple instances. In an
> > attempt to prevent session fixation I implemented a tomcat valve
> > which invalidates sessions when a user authenticates (or in this
> > case, just visits the authentication endpoints). This is causing an
> > issuue where our application proper isn't getting notified of
> > invalidated sessions and they're hanging around in the hazelcast
> > map.
>
> Any reason not to trust Tomcat's session-fixation prevention (which
> implements session-id changing, and already works across a cluster).
>
> > I tried everything I could to fix the session fixation problem
> > within the scope of my application but no matter what I did it
> > seemed like tomcat would persist a users session even after
> > invalidating it, so this was my solution, and of course I face an
> > equally annoying and difficult problem.
> >
> > We're using tomcat7, apache 2.2 / mod_jk to load balance, spring
> > 3.1, and hazelcast 2.2
> >
> > Any and all advice / tips / scorn appreciated. :-) Joseph Bleau
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTIvgTAAoJEBzwKT+lPKRYrZ4P/1JoIjq6O2SMw5XGgn2E8kWC
> 6hG//ZnHRgFR82EVSq+lydre2yFwMeA4kf9WjtKwuNwIdaCJSK2gYBgeHyKhxtCs
> Sakux63pRpRzba3RlvSlHuM30AN4+tbFrVLO/HWWCyBujI1iLppnILzi/iSsy0nK
> VX+DtfeqV5BnvNJMG0G77IB9KOaft5Dm+wJ443Yv8sJPpxwbQUh+siJP5+fsqLA1
> c6MISdBMTRlFGhkEuaQKVtvXxpPn9Hjiv6s16fVlYOQzX+UTMCPA5c22P74zuYm/
> VPG1T46fcf7J+4P/vkdM3X/6ecaPB4bgX4t5IKCPmAoFZ5Ou7K8DbKI2OlP/iCNh
> /yLmsmYdY4YSSKQiN6HnHMh03uMy4q4Ah/hgz9LkxXm1DHdC7A7YRb3rJ6ES6fls
> aYl8Ekq7TNmLYAu0/92Su9qxTIA90g/ii5POe6jDP/1QlXInqB+nRJbbgIdvu1uA
> sb2TC4Nb5hhVKZKKRpHIvvDCoilFhmQdgrsPWOM/+0WcFMvzHwCPYBuAk7TJv+qJ
> 4xZ4tb90PbDc/ZrUjEUsTWoH+lgPzn8G8guIuiK/qGOWQStsE7TNnYIZ47Cnzyrm
> Yy+zQ1YHTFvaFEUeNSkNDK97JG3DJX1RMWn9ZcpgbvBJ36DeRXofTgZImotRwpv+
> zR7I1gSt/gkKLH3HQl8n
> =OVcJ
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message