Hi all, I've created a minimal test case to isolate the problem. The TestServlet is not doing much but invalidating sessions, generating new ones and checking if the new one gets a different ID than the old one (see attached WAR). IMHO I think this could be a Tomcat bug?
Steps to reproduce the problem: 1. Install fresh Tomcat 7.0.42 2. Remove default webapps/ROOT 3. Deploy the attached WAR including the TestCase as webapps/ROOT.war 4. Fire up Tomcat 5. Browse to localhost:8080/TestServlet 6. Reload the page ==> ERROR: No new session ID will be created As soon as you comment out the sessionCookiePath="/" line at the context descriptor inside the WAR (/META-INF/context.xml) you can reload the page (Step 6 above) as often as you like and new session IDs will be generated as they IMHO should be to prevent session fixation attacks. Anyone any thoughts on this? Stefan
On 02.10.2013, at 23:42, Stefan Haberl <birnbu...@gmail.com> wrote: > Hi Chuck, > > Sorry, that was a copy and paste error into my mail client. My context.xml of > course looks like: > > <Context > sessionCookieDomain="acme.org" > sessionCookieName="acme" > useHttpOnly="true" > disableURLRewriting="true" >> > > <!-- disable persistent sessions --> > <Manager pathname="" /> > > </Context> > > Stefan > > On 02.10.2013, at 23:36, "Caldarale, Charles R" <chuck.caldar...@unisys.com> > wrote: > >>> From: Stefan Haberl [mailto:birnbu...@gmail.com] >>> Subject: Session does not get invalidated when sessionCookiePath is set to >>> "/" >> >>> I've a context.xml like so: >> >>> <Context >>> sessionCookieDomain="acme.org" >>> sessionCookieName="acme" >>> useHttpOnly="true" >>> disableURLRewriting="true" >>> /> >> >> The /> terminates the <Context> element, so the rest of your .xml file is >> probably ignored... >> >>> <!-- disable persistent sessions --> >>> <Manager pathname="" /> >> >> Not sure what the <Manager> applies to, since it's not nested inside the >> <Context>. >> >>> </Context> >> >> Not semantically valid, since the <Context> element was already closed. >> >> - Chuck >> >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >> MATERIAL and is thus for use only by the intended recipient. If you received >> this in error, please contact the sender and delete the e-mail and its >> attachments from all computers. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > -- > Stefan Haberl > http://christa-und-stefan.net > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- Stefan Haberl http://christa-und-stefan.net
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
