-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 이강우,
On 10/23/14 1:56 AM, 이강우(KangWoo Lee) wrote: > ok I undertand. > > -> the session identifier should change to prevent session-fixation > attacks. > > but how I can set tomcat to regenerate id value? I was search > document, but can't find it I'm not sure what you are asking. Can you ask in a different way? Do you want Tomcat to reject the requested (invalid) session id and generate a new one instead? - -chris > 2014-10-22 22:44 GMT+09:00 Christopher Schultz > <ch...@christopherschultz.net >> : > > 이강우, > > On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote: >>>> Environment - openjdk 1.7 - tomcat 7.0.55 with native >>>> connector - apache 2.4.10 with mod-jk 1.2.40 >>>> >>>> 1. Tomcat start 2. Client request -> JSESSIONID is null 3. >>>> tomcat response -> >>>> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create 4. >>>> refresh page -> session attribute(name=count, value=count++) >>>> is correct. count is increasing. > > Good so far. > >>>> 5. Tomcat stop -> start (restart) context setting is session >>>> is not persist > > Okay. > >>>> 6. Client refresh -> client request is send >>>> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session >>>> attribute(name=count, value=0) is reset. but keeping >>>> JSESSIONID >>>> >>>> question. why tomcat using JSESSIONID set by client request >>>> value? is not regenerate? > > If the client requests a session by id, Tomcat will try to give it > to them. If it doesn't exist, it will use that session identifier > for the new session. > > Did the user actually authenticate with Tomcat? Or just get an > anonymous session? If the user authenticates with Tomcat, the > session identifier should change to prevent session-fixation > attacks. > >>>> is this java spec? > > I believe the spec says nothing about the generation of session > ids. Even the above session-fixation behavior is outside of the > spec (but definitely does not violate it). > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUSSGuAAoJEBzwKT+lPKRYHZcP+weLH/AgmnVPs6dxiXG+Qjtg ndtap6eKAuys+LBmHYQCki780cmmnX0UZg8sEVENPJ+GSRRuni3/S8RwixTnA4Lv YbuEov2d0oxTI+ZzH0HSR40nYPSzKY3m/yzMlB4y+JrvA3ousxiIDZ07tkM6LvCq 6Cpn54Bd7InbHWJJJXNyn8iA+snxuJe1QfpxkiFVPrjgZgRFJfsOWCUHN6qsETYG EvydlCTR/9b2yPkqApEiYLULSG+K70Wtupp8pPB0jM0dP1i16qZa1SGMh79lP9kO FZ3H8PoPwnSluSRefyPnQgCTIWQEP89sJ4Q1fCCN4r/axUgyI6OEWuZ/MGOaN4yg Y37sUrcauRCy+Sfh8x7IIJpnVeOZcyPO4sDrmDjySTNKis5hdtpxwNuTY97XxHe+ 2bD3jierVw05T4lj6zOraRo2yrzVVWujd1RUJ8vCMBnx6l3rvzxGp+10sUqePyeF nhc3rWg1vWcdxXDDJ8p853Xb5k1MuR1rQg2kJ9AWJDfMZULi80awPZYQuJOC9O/n TFGKcLsXM0xp6ND0ItdLgzTXlj8xhPDvNGp438KSD16ofm27dWM++btD4Ss3DoVs Vu+xwL2td0nx94+jEJgibi4SVCCVkgNzO5vu/uyxVFE1oBGxo6OSQTnp4UDc5KkY DQ2jHJBmVqVHwxOxS4j7 =wFKq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org