https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
--- Comment #21 from Mark Thomas <ma...@apache.org> 2009-12-11 09:45:21 GMT --- I have patched Tomcat 7 to change the session ID on authentication by default. The same patch has been proposed for 6.0.x and 5.5.x although the default may be not to change the session ID. With this patch applied the situation is: Tomcat 7 - Not vulnerable by default since session ID changes on authentication - If this default is changed by the user (eg because the application can't handle a changing session ID) then the risks may be minimised by disabling session tracking via URL (a new feature in Servlet 3) Tomcat 5 & 6 - Can be prevented by enabling changing the session ID on authentication (if there is insufficient support for this to be enabled by default) - If the application can't handle a changing session ID then the risks may be minimised by writing a custom filter that checks request.isRequestedSessionIdFromURL() and responds accordingly (eg rejecting the request) With these changes in place, although there will not be an option to disabled URL re-writing, I believe that there will be sufficient options to prevent session fixation which is, after all, the reason behind the request to be able to disable URL rewriting. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
