tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Session fixation & Tomcat 7
Date Sun, 18 May 2014 15:34:34 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Akash,

On 5/8/14, 9:56 PM, Akash Jain wrote:
> Hi,
> 
> I am trying to resolve session fixation issue with tomcat 7.0.52
> 
> We have a Spring MVC application running on it, and the Auth method
> is provided by another application which writes cookie, and we use
> the cookie value to check whether the user is valid or not.
> 
> My application URL patterns are / - Home page /login - Redirect to
> another application to ask user to authenticate /myaccess/user***
> --> All authenticated URL's
> 
> <Context path="" docBase="myapplication" 
> sessionCookieName="mycookiename" 
> sessionCookieDomain="application.mydomain.com 
> sessionCookiePath="/">
> 
> As I cannot use org.apache.catalina.authenticator.FormAuthenticator
> here.
> 
> How can i prevent the session fixation ?

If you are managing the authentication yourself, then you'll have to
handle (mitigate) session fixation yourself, too. You can invalidate
and create a new session in the same request, if you want.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTeNMIAAoJEBzwKT+lPKRYje4P/i1LD+r06I1VuI6jtFAzM/0k
Ow/HyXyyFRIq3zz1+LUQ8ys2PEROTw+E7q3NzLvBb8e6Vngc2vWBoRq7jps1r4Jq
h/5Cd4k7DI5V5dlPFph7nHNXwKbGgRtCamvhwC/fQFlZxwvGTOfAyxeYLT42k3zF
x3HkesQSI9F4hfy9VzQ8977cTICUI8bz5pUksRccN9uFJ5A1V18vdjDEJ7hWkS8K
V5lPr0VlZ9XzNOZ9conQYoZnuOzvl9l73QECTJi8jSPeVHGGEFcQmVE2KCxExx4u
qqN0twycISY/TrLxt74WkiJseljzr+QXZUjFHIlaepU62/pVmOwBQHs9bs1e7jHo
YNSY/8g+W0nKvLexgULJw1FBpxlq2LcTtkRzPDPEuTp0OlE583bPufxd+LaoLwL3
uWEtkhMSNiMsChyCigBsaZZVhkY8DzmSQ2SYpZmGx3suyJmllt/yiET+vc2uRAxn
6iBKvrSrwzDnqwpMpeowpU69n5v12+yRNts5PCOksLJ61TDV59C2AvUE3CWJI417
M163/01GEF9yux5/7cm7jYJpEDdqS3+y1vLC4E9I7BXkpLuuPmVAUcbl7VPVl12X
h5wZsbdFX9xZsIoDPkLlZv8+0ugp/BlLwVqNRNfnNusLQl4OHF/hlj1eWIDBQsEJ
G8FbWFqolK+tUemVOO1v
=UHeH
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message