2014-03-14 19:04 GMT+04:00 Christopher Schultz <ch...@christopherschultz.net>:
> Joseph,
>
> On 3/14/14, 9:49 AM, Joesph Bleau wrote:
>> I should also mention that after some very simple testing I was
>> able to confirm that (of course) Tomcat is notifying my application
>> when the session is invalidated in a valve. I'm still fairly new to
>> this entire stack, so forgive my ignorance. :-)
>
> No problem. Tomcat does in fact change the session id, but only
> *after* a successful authentication (but before the session is blessed
> with authentication information). I believe you said something about
> changing the session id when the user accesses the login page --
> regardless of whether the authentication attempt is successful. Tomcat
> doesn't do that.

Tomcat does that.

For FORM authentication the session id is changed twice. This security
feature is CVE-2013-2067.

> Mark does a good job describing the whole situation here:
> http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection
>

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to