-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Stefan,
On 10/3/13 5:40 AM, Stefan Haberl wrote: > I've created a minimal test case to isolate the problem. The > TestServlet is not doing much but invalidating sessions, generating > new ones and checking if the new one gets a different ID than the > old one (see attached WAR). IMHO I think this could be a Tomcat > bug? > > Steps to reproduce the problem: > > 1. Install fresh Tomcat 7.0.42 2. Remove default webapps/ROOT Is it important that the webapp run as ROOT? Or can it have another context path? > 3. Deploy the attached WAR including the TestCase as > webapps/ROOT.war This list strips attachments. Perhaps you could create a bug in Bugzilla and attach it there? I'm not yet convinced there is a Tomcat bug, so perhaps BZ isn't the right place quite yet. Your other option would be to host the example webapp somewhere and post a link. > 4. Fire up Tomcat 5. Browse to localhost:8080/TestServlet 6. Reload > the page ==> ERROR: No new session ID will be created > > As soon as you comment out the sessionCookiePath="/" line at the > context descriptor inside the WAR (/META-INF/context.xml) you can > reload the page (Step 6 above) as often as you like and new session > IDs will be generated as they IMHO should be to prevent session > fixation attacks. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSTWXIAAoJEBzwKT+lPKRYyskP/jhbmQ6LyT7WPGZh9iCgfDt4 +o0wuTicFKteLuWRDQAVWVoJjZ/PbcjJrUCEnbTyKVBHZbnscGX/c02bxJqkShA0 DE99rVBRiZw78LSXDnf9ZzG7s2xyEvFz5H+FMh2CvCkXL+Ihgi1OGhsq2Q3N1eyu dGRCMCXzwNQ8V+D9mbXJP5ZxP633K+jFWbmppXm5Wo9dWMHVz343uMcf3utevbL7 20bhbqQETVRrBxnK8YsJwOi+28+nOzoj1RImyVYCANYm/xOkbUDlCTs1GRABfboC 6rSP89ttjB4KjOepmlvQgFcBsfK3cO25LaOINbI52DkqgOpYsL+CGn8ft37a6Cxi H3WIViAqEslhDeh+fejDtAiYjiWUHErn7IaBzbuuW0ZFjecGaB7XbDTg45Az/UE1 rbQeDVS9R9/GPr5qqMBXKw8a2Pd1zk0T5FWTL8Yha9BP7OFAqdK/XWFBh+Wuhf7e ZX7nqQZmExU+qqJMatNYBXfTf9C2PqkcxearQ0CqpxMd4iehtj2YZX4iL2MVTA+r gXAPWzP5mp5ni4XMBiCtF9pIKx0CIBtOukEVcSrGrWzmAHLGzQDuxXiaIU84A4/q IhdGLfIUzH7ZypEbHTO7nYe3WfyFAEUSKU+lTXqad6dugRmbwDeHSEgFPBpDW+Wt K1GI91YXOFy9jQF/eSY+ =J9dK -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org