Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DC56210F20 for ; Fri, 14 Mar 2014 13:50:23 +0000 (UTC) Received: (qmail 73269 invoked by uid 500); 14 Mar 2014 13:50:19 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 73168 invoked by uid 500); 14 Mar 2014 13:50:18 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 73159 invoked by uid 99); 14 Mar 2014 13:50:18 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Mar 2014 13:50:18 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jbleau@systemsinmotion.com designates 209.85.215.44 as permitted sender) Received: from [209.85.215.44] (HELO mail-la0-f44.google.com) (209.85.215.44) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Mar 2014 13:50:14 +0000 Received: by mail-la0-f44.google.com with SMTP id hr13so1809766lab.31 for ; Fri, 14 Mar 2014 06:49:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=q6n3Xka+kRLc9JERvB5UAwB3RfMcT0/9Z402m3LN5eM=; b=VlNuTDaJFdWWb5yO3e0tGAmw8ksjQ3kGOXCbASQNtIGj/LHdPOY+PmJnMIBIakEb6H JDvHZfciYeTDRpf7DCWohdZIRyxJcI87QqOxzQIjduQg20j1RbuzpAuyGoBl8u0RYQ/r seyK0yXb+R4gBIHap4CS61Wn3fuHvMN8PYxQznVg4+QLpW7PcT8o7sRGJZ80FEyM5dYs p4yiiE/oMuWZzDog7LgE+aSoJ51DQzpP9IXLgHKAPCTcIQahY8XA3GlA71Iwc+mg9GTE cwEKnsF2f/SJwhECjdjg5gXssLA4gtSRum2OBp09pHL654/8ImM+uQAmzgwwvRdT2SWE PFlw== X-Gm-Message-State: ALoCoQk913oJlA8w74MNkKLgkaLz3WX4WG/fHMbOr1iwla2kVlNIM1D7xQBI5rpc/6cvIna7maun MIME-Version: 1.0 X-Received: by 10.152.42.196 with SMTP id q4mr5685456lal.14.1394804992956; Fri, 14 Mar 2014 06:49:52 -0700 (PDT) Received: by 10.114.11.230 with HTTP; Fri, 14 Mar 2014 06:49:52 -0700 (PDT) In-Reply-To: References: <5322F813.90608@christopherschultz.net> Date: Fri, 14 Mar 2014 09:49:52 -0400 Message-ID: Subject: Re: Notifying application of session changes that happened outside of it's scope From: Joesph Bleau To: Tomcat Users List Content-Type: multipart/alternative; boundary=001a11c34e8e22ea2104f4915821 X-Virus-Checked: Checked by ClamAV on apache.org --001a11c34e8e22ea2104f4915821 Content-Type: text/plain; charset=ISO-8859-1 I should also mention that after some very simple testing I was able to confirm that (of course) Tomcat is notifying my application when the session is invalidated in a valve. I'm still fairly new to this entire stack, so forgive my ignorance. :-) Cheers. On Fri, Mar 14, 2014 at 9:46 AM, Joesph Bleau wrote: > It's possible (read: likely) that we're doing something incorrectly, but > we're using Spring and it was already attempting to provide session > fixation within the application by invalidating sessions upon > authentication. However, it appears that tomcat was providing us with the > same session ID for our new session. I've scoured the internet and I've > seen that I'm not the first person to have this problem, but there was no > definitive solution available. I ultimately settled on invalidating the > session in the valve which appeared to work, tomcat didn't provide the same > ID here. > > > On Fri, Mar 14, 2014 at 8:37 AM, Christopher Schultz < > chris@christopherschultz.net> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Joseph, >> >> On 3/14/14, 5:59 AM, Joesph Bleau wrote: >> > Right now we're running our application in Tomcat and using >> > hazelcast to share information across our multiple instances. In an >> > attempt to prevent session fixation I implemented a tomcat valve >> > which invalidates sessions when a user authenticates (or in this >> > case, just visits the authentication endpoints). This is causing an >> > issuue where our application proper isn't getting notified of >> > invalidated sessions and they're hanging around in the hazelcast >> > map. >> >> Any reason not to trust Tomcat's session-fixation prevention (which >> implements session-id changing, and already works across a cluster). >> >> > I tried everything I could to fix the session fixation problem >> > within the scope of my application but no matter what I did it >> > seemed like tomcat would persist a users session even after >> > invalidating it, so this was my solution, and of course I face an >> > equally annoying and difficult problem. >> > >> > We're using tomcat7, apache 2.2 / mod_jk to load balance, spring >> > 3.1, and hazelcast 2.2 >> > >> > Any and all advice / tips / scorn appreciated. :-) Joseph Bleau >> > >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1 >> Comment: GPGTools - http://gpgtools.org >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQIcBAEBCAAGBQJTIvgTAAoJEBzwKT+lPKRYrZ4P/1JoIjq6O2SMw5XGgn2E8kWC >> 6hG//ZnHRgFR82EVSq+lydre2yFwMeA4kf9WjtKwuNwIdaCJSK2gYBgeHyKhxtCs >> Sakux63pRpRzba3RlvSlHuM30AN4+tbFrVLO/HWWCyBujI1iLppnILzi/iSsy0nK >> VX+DtfeqV5BnvNJMG0G77IB9KOaft5Dm+wJ443Yv8sJPpxwbQUh+siJP5+fsqLA1 >> c6MISdBMTRlFGhkEuaQKVtvXxpPn9Hjiv6s16fVlYOQzX+UTMCPA5c22P74zuYm/ >> VPG1T46fcf7J+4P/vkdM3X/6ecaPB4bgX4t5IKCPmAoFZ5Ou7K8DbKI2OlP/iCNh >> /yLmsmYdY4YSSKQiN6HnHMh03uMy4q4Ah/hgz9LkxXm1DHdC7A7YRb3rJ6ES6fls >> aYl8Ekq7TNmLYAu0/92Su9qxTIA90g/ii5POe6jDP/1QlXInqB+nRJbbgIdvu1uA >> sb2TC4Nb5hhVKZKKRpHIvvDCoilFhmQdgrsPWOM/+0WcFMvzHwCPYBuAk7TJv+qJ >> 4xZ4tb90PbDc/ZrUjEUsTWoH+lgPzn8G8guIuiK/qGOWQStsE7TNnYIZ47Cnzyrm >> Yy+zQ1YHTFvaFEUeNSkNDK97JG3DJX1RMWn9ZcpgbvBJ36DeRXofTgZImotRwpv+ >> zR7I1gSt/gkKLH3HQl8n >> =OVcJ >> -----END PGP SIGNATURE----- >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >> >> > --001a11c34e8e22ea2104f4915821--