tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pottinger, Hardy J." <>
Subject RE: seeking help with stabilizing the persistence of a JSESSIONID
Date Thu, 03 Sep 2015 16:52:07 GMT
Hi, I'm trying to disable session-fixation-attack protection on our test server, and I've added
the following valve to both my application's context-fragment file, as well as the main context.xml

 <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="false"

However, after several Tomcat restarts, I can still see the session cookie change after authentication.

I'm wondering if perhaps the problem is that this isn't Tomcat authentication, but HTTPD authentication,
via the Shibboleth module on Apache.


From: Pottinger, Hardy J.
Sent: Thursday, September 03, 2015 11:13 AM
To: Tomcat Users List
Subject: RE: seeking help with stabilizing the persistence of a JSESSIONID

Hi, Chris, thanks for the quick reply! Right now I'm just grasping at straws. If I can prove
the JSESSIONID remains the same, and the previous URL is still lost, I'll have definitive
proof that the application code is somehow at fault. Right now I have this gray area where
it looks (to application devs like me) that Tomcat is losing the session. Can you help me
bounce this hot potato back to my fellow devs? :-) Thanks!

From: Christopher Schultz []
Sent: Thursday, September 03, 2015 10:45 AM
To: Tomcat Users List
Subject: Re: seeking help with stabilizing the persistence of a JSESSIONID

Hash: SHA256


On 9/3/15 11:12 AM, Pottinger, Hardy J. wrote:
> Hi, I'm a committer for DSpace [1] (a Java servlet) and I'm working
> on a bug [2]. This bug presents with the following symptoms:
> 1) user searches site, finds an item of interest, attempts to
> access the item, but is not currently logged in, so is presented
> with a "please enter password" challenge; 2) user chooses to
> authenticate via Shibboleth and is passed on to a Shibboleth IdP
> for authentication 3) user authenticates successfully 4) user is
> returned to the home page of the site, instead of the item
> previously requested
> DSpace stores the previously-visited URL in the session. I can see
> the JSESSIONID cookie at step 1 above. At step 4, the JSESSIONID
> is new. In other words, the previous session (with the previous
> URL information) is discarded.

Are you sure that the stored URL has been discarded, or has only the
session identifier changed? Tomcat changes session ids after
successful authentication to prevent session-fixation attacks.

> I suspect that there is some setting for Tomcat7 I'm missing, Is
> there some way to tell Tomcat to allow these sessions to persist
> during the roundtrip to the Shibboleth IdP and back?

You *can* disable session-id changes, but then you lose a layer of
security. Are you sure you need to disable this protection?

- -chris
Comment: GPGTools -


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message