tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: seeking help with stabilizing the persistence of a JSESSIONID
Date Thu, 03 Sep 2015 17:00:51 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hardy,

On 9/3/15 12:52 PM, Pottinger, Hardy J. wrote:
> Hi, I'm trying to disable session-fixation-attack protection on
> our test server, and I've added the following valve to both my 
> application's context-fragment file, as well as the main
> context.xml file:
> 
> <Valve 
> className="org.apache.catalina.authenticator.BasicAuthenticator" 
> changeSessionIdOnAuthentication="false" alwaysUseSession="true"/>

Are you actually using HTTP Basic authentication? You may be configuring
the wrong authenticator. (I know nothing about Shibboleth).

> However, after several Tomcat restarts, I can still see the
> session cookie change after authentication.
> 
> I'm wondering if perhaps the problem is that this isn't Tomcat 
> authentication, but HTTPD authentication, via the Shibboleth
> module on Apache.

Perhaps, but Tomcat is always the arbiter of your session identifier.
Are you even using an authenticator in Tomcat? What is your
<auth-method> in web.xml say?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6HzCAAoJEBzwKT+lPKRY03cQAI0jlkvH+bLotz3wFo895a4v
7a+AsrP7zpIErjC5oMMzRXwqpXbxkBX93Yc7h5xH08iW3KeqmPAz2R3SF1BTmbsW
1julPHxo1VDc00siTNflWgxHk3JHn/OD08YlUolVLYxAEgoCj8oZ/m8wmWyNAkmX
LuW23mr32l+QmPvFWQbwlaQzt4uGrt2f1nq24wWP3ZZ+NhoZLhFyEqYVnq2KQ7PS
gyvRjnhGZJ+EuVyL8N3rna0yTyKVHIrh9amTduOx1XwC85+3QLvQDhpIFjVSAm3L
Bbpoi81rHnZHVfGNO6HGf2oJRmCJAg3s1iLbY2gTG5PsXUtu4PoKTaMUHPJbKS43
BhoTacODdsa0IdGeDlFX3vjUfGMYh7ymo+a43FscOLsbMyZJAZRjAFD26oHislcb
RYaYYIRseXHir65NxlDn/lvdFNllqOJtcBXKB2kFZlDPNUcuizR17bZV6BzJi0bG
iQWej2JbYSfOKHLCd9mkQO7iI9eklwNXHxyoAPFP2aSP6Hu5hispKtckO2Pu3UOW
VqEsH929MD9XMCe/wea0WxW+JmQDFmFZZxHDYfGisJ1v5wSKStjH6mNZZR1tmCpm
tPIJDcgUB4ag2k+pkzs35QVYBgaXRbh3S2/XMlXHoMhzSZd+ciPPGa96Zll2TEZR
puMLQsH0udM3ptXfWDBR
=6J0h
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message