tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 51631] New: Bug in the Session Fixation Protection Feature
Date Mon, 08 Aug 2011 09:46:21 GMT

             Bug #: 51631
           Summary: Bug in the Session Fixation Protection Feature
           Product: Tomcat 7
           Version: 7.0.12
          Platform: PC
            Status: NEW
          Severity: major
          Priority: P2
         Component: Catalina
    Classification: Unclassified

Created attachment 27359
The file with fix

Bug in the Session Fixation Protection Feature
The Session Fixation Protection feature was added to Apache Tomcat 7 and Apache
Tomcat 6.
The feature can be problematic if an application does not use Form
Authenticator and in addition the application creates a session.
In this case the session will not be created by an authenticator and upon the
next request the session fixation protection feature in the authenticator will
recreate the session. The problem, that the application can lose its state.
How to fix the bug?
Please find attached patch for Apache Tomcat 7 
The fix will allow to authenticator to create a session upon the authentication
and the application will not require to create a session.
Tomcat 7 already has variable alwaysUseSession, but unfortunately it is not
possible to configure it.
BTW, I think that better name for the variable is enforceSessionCreation
When it will be released, it will be required to configure context of your
application (not the main context $CATALINA_BASE/conf/context.xml)
  <Valve className="org.apache.catalina.authenticator.BasicAuthenticator"

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message