tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: seeking help with stabilizing the persistence of a JSESSIONID
Date Thu, 10 Sep 2015 19:57:22 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hardy,

On 9/10/15 3:36 PM, Pottinger, Hardy J. wrote:
>> putting Serializable objects in the session is surely a good
>> idea in general.
> 
> I agree, especially, as you mention, if we intend to distribute 
> sessions among various containers.
> 
>> Tomcat's session-fixation-prevention amounts to changing the
>> session identifier while keeping the session in-tact. So unless
>> you are using distributable sessions, this is unlikely to be the
>> problem.
> 
> You're absolutely right. I now have a serialized attribute, which
> is still lost upon the creation of the new session. Is there
> anything similar I can try, to ensure that the session attributes
> from the previous session are faithfully copied to the new session,
> after session-fixation-prevention does its thing?

It's simpler than you think. Tomcat really does nothing other than
this after successful authentication:

 session.setSessionId(randomNewSessionId);

The "new" session is in fact the same as the old session -- it just
has a new identifier. The client will get a Set-Cookie response
changing the JSESSIONID cookie value, and any URLs encoded with
HttpServletResponse.encodeURL or HttpServletResponse.encodeRedirectURL
will include the updated session identifier (if appropriate).

So the "loss" of your session attribute is puzzling. You could write a
noisy HttpSessionAttributeListener that logs every session-attribute
event (with a stack trace) to see if that attribute is being removed
elsewhere.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV8eCiAAoJEBzwKT+lPKRYYoAP/3oMiZPb3Dwe8Ty74DEtvg5D
FD4aWQv4hkyhKDCpFAfpVkZYy/Y6sokF2SJteX5INALZ0Uq+w7NKR8z1LdtSAklF
867e/UKYryJnCSlYj2qbitmc9uZ5ivjfWa1lnl/umYsS4lo5RfYOhEJsCahWtOuo
O2DyGcIICqdLQ7W/3kw4Yk+ykypAmGSbmrbUHACVvEAm4318q/W+2oEPwEkmxw3f
qyW/RGtHaLndpruU+p+4uxGh+b/N3RE/R8ZTWvjLtTfIe/XgZyqb+2C3MmV/BbBC
D9IEAqRPchXbnOKBry6j9CYrtWtl9fj2HjbLaXg/ZgNQkDf39gtFB/bdIZVvbcex
CqsCZ9Gm56Cv84O0fWZghXj+kVA0U7vimzeaig8//d3O7OuyzcKOyqvn7/QyQmh5
VVLVVeoVitrio4nlcbrIvAxDf3XUUztDq0YXow0v569emuHnbFikoYNjHcfKaj52
jCEwHrPVPHId0mh22+7lFAIjMjxb6a/vJUwfD0pU+JKlqklMtZmaW2lpyH72J4n5
8VbbLQvrZbi85UfkHhoYmU5/0RdWIlMSuMNXW7EMPZ+EYVaJWMhndyVN0dON3/fV
PojLz02Ye1EQn4kdyiaD288NGtoCyXfc9+tcMgm3e3sBZuMbCy9NwdjVrx9ChVcO
QS8LMEVu0FMhri8oNk/p
=lKTi
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message