Author: rjung Date: Thu Apr 15 19:19:15 2010 New Revision: 934554 URL: http://svn.apache.org/viewvc?rev=934554&view=rev Log: Address BZ45255: Prevent session fixation by providing option (disabled by default) to change session ID on authentication.
Backport of r918761 from TC 5.5.x. Modified: tomcat/sandbox/tomcat-oacc/trunk/docs/changelog.xml tomcat/sandbox/tomcat-oacc/trunk/src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java Modified: tomcat/sandbox/tomcat-oacc/trunk/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/sandbox/tomcat-oacc/trunk/docs/changelog.xml?rev=934554&r1=934553&r2=934554&view=diff ============================================================================== --- tomcat/sandbox/tomcat-oacc/trunk/docs/changelog.xml (original) +++ tomcat/sandbox/tomcat-oacc/trunk/docs/changelog.xml Thu Apr 15 19:19:15 2010 @@ -31,6 +31,12 @@ <body> <section name="Tomcat OACC 0.1 (rjung)"> <subsection name="Cluster"> + <add> + <bug>45255</bug>: Add the ability to change session ID on + authentication to protect against session fixation attacks. This is + disabled by default. + Port from Tomcat 5.5. (rjung) + </add> <changelog> <fix> <bug>47554</bug>: httpOnly flag not applied to migrated session cookie. Modified: tomcat/sandbox/tomcat-oacc/trunk/src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java URL: http://svn.apache.org/viewvc/tomcat/sandbox/tomcat-oacc/trunk/src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java?rev=934554&r1=934553&r2=934554&view=diff ============================================================================== --- tomcat/sandbox/tomcat-oacc/trunk/src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java (original) +++ tomcat/sandbox/tomcat-oacc/trunk/src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java Thu Apr 15 19:19:15 2010 @@ -406,9 +406,8 @@ public class JvmRouteBinderValve extends * new session id for node migration */ protected void changeRequestSessionID(Request request, Response response, String sessionId, String newSessionID) { - request.setRequestedSessionId(newSessionID); - if(request.isRequestedSessionIdFromCookie()) - setNewSessionCookie(request, response,newSessionID); + request.changeSessionId(newSessionID); + // set orginal sessionid at request, to allow application detect the // change if (sessionIdAttribute != null && !"".equals(sessionIdAttribute)) { @@ -451,6 +450,8 @@ public class JvmRouteBinderValve extends * @param request current request * @param response Tomcat Response * @param sessionId The session id + * + * @deprecated Use {...@link Request#changeSessionId(String)} */ protected void setNewSessionCookie(Request request, Response response, String sessionId) { --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org