tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From 이강우(KangWoo Lee) <koo...@gmail.com>
Subject Re: is normal keep value when tomcat restart after JSESSIONID was create?
Date Thu, 23 Oct 2014 05:56:11 GMT
ok I undertand.

-> the session identifier should change to prevent session-fixation attacks.

but how I can set tomcat to regenerate id value?
I was search document, but can't find it


2014-10-22 22:44 GMT+09:00 Christopher Schultz <chris@christopherschultz.net
>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> 이강우,
>
> On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote:
> > Environment - openjdk 1.7 - tomcat 7.0.55 with native connector -
> > apache 2.4.10 with mod-jk 1.2.40
> >
> > 1. Tomcat start 2. Client request -> JSESSIONID is null 3. tomcat
> > response -> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create
> > 4. refresh page -> session attribute(name=count, value=count++) is
> > correct. count is increasing.
>
> Good so far.
>
> > 5. Tomcat stop -> start (restart) context setting is session is
> > not persist
>
> Okay.
>
> > 6. Client refresh -> client request is send
> > JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session
> > attribute(name=count, value=0) is reset. but keeping JSESSIONID
> >
> > question. why tomcat using JSESSIONID set by client request value?
> > is not regenerate?
>
> If the client requests a session by id, Tomcat will try to give it to
> them. If it doesn't exist, it will use that session identifier for the
> new session.
>
> Did the user actually authenticate with Tomcat? Or just get an
> anonymous session? If the user authenticates with Tomcat, the session
> identifier should change to prevent session-fixation attacks.
>
> > is this java spec?
>
> I believe the spec says nothing about the generation of session ids.
> Even the above session-fixation behavior is outside of the spec (but
> definitely does not violate it).
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUR7S/AAoJEBzwKT+lPKRYdT4P/3HHrY/yEJmZUWFuyAlAIgkG
> J14ix608FsWkGtsIKwh7RxgArSx3eH7niswJ8FxHljZJQThlasInz8SJlFzGYBvA
> +++56BziHVRAc+vn00/yOjzO+GW73fm+vjcnL/i6tIYLiX3YT2qd+iWV34YYBnVJ
> X0ZS6Kz2+YmkbzN9ccGp8ZWq51jqZtVsPSzEpKmdp2mf2s48O3cQlCNiw6Q5CVCr
> a0IU//ciwnkF50l5T2h4oZOV0L0ZraPgbAzf2lNpazNjSnAF3DpG2uVJc9OLIZXy
> ZBA3SM+MoLiYDbR5Wv02zx1ifDraMMrVSfeYL6zEpz5tIqeJ4wYSf2iyrkzG2fOr
> lnCdVDh1s2hRuVOsQlh8UkG86NQecc8eK6QCCviT5bSS02KK202+i/Z8uW8h4SVT
> wMyNv4vsPBgCauM5mugWiTu8T1Ae8fqIznXOImal7sVyQrE20mePkhEo6LqD6NXf
> loY55Uul/m0x52fL3/Z9czkJaWhOVd6bRdYgZH/g90CvPVzQZhBBwS15FTgjsxMU
> /IslHCv+u3aOr5HxwW4Rl83ifFM2b0tf/X/VKAqRekgz6OJF1HP4J4HN79ecdC/J
> +R+J5eo/L5hlbUbbWaH86X7Qm6rG7XoDwkaFA+6AkDfw/2/Whv11a3C8OlLhltKY
> oqUECCMeOaec6twMZLG4
> =3oOa
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message