2014-03-14 19:04 GMT+04:00 Christopher Schultz <ch...@christopherschultz.net>: > Joseph, > > On 3/14/14, 9:49 AM, Joesph Bleau wrote: >> I should also mention that after some very simple testing I was >> able to confirm that (of course) Tomcat is notifying my application >> when the session is invalidated in a valve. I'm still fairly new to >> this entire stack, so forgive my ignorance. :-) > > No problem. Tomcat does in fact change the session id, but only > *after* a successful authentication (but before the session is blessed > with authentication information). I believe you said something about > changing the session id when the user accesses the login page -- > regardless of whether the authentication attempt is successful. Tomcat > doesn't do that.
Tomcat does that. For FORM authentication the session id is changed twice. This security feature is CVE-2013-2067. > Mark does a good job describing the whole situation here: > http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection > Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org