tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From 이강우(KangWoo Lee) <koo...@gmail.com>
Subject Re: is normal keep value when tomcat restart after JSESSIONID was create?
Date Thu, 23 Oct 2014 17:55:11 GMT
I found a causes. set the context attribute sessioncookiepath="/" is same
affect of emptysessionpath. tomcat document says if set emptysessionpath
then yomcat using session id value of client request.

I solve it. thanks to your comment.
2014. 10. 24. 오전 12:42에 "Christopher Schultz" <chris@christopherschultz.net>님이
작성:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> 이강우,
>
> On 10/23/14 1:56 AM, 이강우(KangWoo Lee) wrote:
> > ok I undertand.
> >
> > -> the session identifier should change to prevent session-fixation
> > attacks.
> >
> > but how I can set tomcat to regenerate id value? I was search
> > document, but can't find it
>
> I'm not sure what you are asking. Can you ask in a different way? Do
> you want Tomcat to reject the requested (invalid) session id and
> generate a new one instead?
>
> - -chris
>
> > 2014-10-22 22:44 GMT+09:00 Christopher Schultz
> > <chris@christopherschultz.net
> >> :
> >
> > 이강우,
> >
> > On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote:
> >>>> Environment - openjdk 1.7 - tomcat 7.0.55 with native
> >>>> connector - apache 2.4.10 with mod-jk 1.2.40
> >>>>
> >>>> 1. Tomcat start 2. Client request -> JSESSIONID is null 3.
> >>>> tomcat response ->
> >>>> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create 4.
> >>>> refresh page -> session attribute(name=count, value=count++)
> >>>> is correct. count is increasing.
> >
> > Good so far.
> >
> >>>> 5. Tomcat stop -> start (restart) context setting is session
> >>>> is not persist
> >
> > Okay.
> >
> >>>> 6. Client refresh -> client request is send
> >>>> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session
> >>>> attribute(name=count, value=0) is reset. but keeping
> >>>> JSESSIONID
> >>>>
> >>>> question. why tomcat using JSESSIONID set by client request
> >>>> value? is not regenerate?
> >
> > If the client requests a session by id, Tomcat will try to give it
> > to them. If it doesn't exist, it will use that session identifier
> > for the new session.
> >
> > Did the user actually authenticate with Tomcat? Or just get an
> > anonymous session? If the user authenticates with Tomcat, the
> > session identifier should change to prevent session-fixation
> > attacks.
> >
> >>>> is this java spec?
> >
> > I believe the spec says nothing about the generation of session
> > ids. Even the above session-fixation behavior is outside of the
> > spec (but definitely does not violate it).
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUSSGuAAoJEBzwKT+lPKRYHZcP+weLH/AgmnVPs6dxiXG+Qjtg
> ndtap6eKAuys+LBmHYQCki780cmmnX0UZg8sEVENPJ+GSRRuni3/S8RwixTnA4Lv
> YbuEov2d0oxTI+ZzH0HSR40nYPSzKY3m/yzMlB4y+JrvA3ousxiIDZ07tkM6LvCq
> 6Cpn54Bd7InbHWJJJXNyn8iA+snxuJe1QfpxkiFVPrjgZgRFJfsOWCUHN6qsETYG
> EvydlCTR/9b2yPkqApEiYLULSG+K70Wtupp8pPB0jM0dP1i16qZa1SGMh79lP9kO
> FZ3H8PoPwnSluSRefyPnQgCTIWQEP89sJ4Q1fCCN4r/axUgyI6OEWuZ/MGOaN4yg
> Y37sUrcauRCy+Sfh8x7IIJpnVeOZcyPO4sDrmDjySTNKis5hdtpxwNuTY97XxHe+
> 2bD3jierVw05T4lj6zOraRo2yrzVVWujd1RUJ8vCMBnx6l3rvzxGp+10sUqePyeF
> nhc3rWg1vWcdxXDDJ8p853Xb5k1MuR1rQg2kJ9AWJDfMZULi80awPZYQuJOC9O/n
> TFGKcLsXM0xp6ND0ItdLgzTXlj8xhPDvNGp438KSD16ofm27dWM++btD4Ss3DoVs
> Vu+xwL2td0nx94+jEJgibi4SVCCVkgNzO5vu/uyxVFE1oBGxo6OSQTnp4UDc5KkY
> DQ2jHJBmVqVHwxOxS4j7
> =wFKq
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message