I found a causes. set the context attribute sessioncookiepath="/" is same affect of emptysessionpath. tomcat document says if set emptysessionpath then yomcat using session id value of client request.
I solve it. thanks to your comment. 2014. 10. 24. 오전 12:42에 "Christopher Schultz" <ch...@christopherschultz.net>님이 작성: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > 이강우, > > On 10/23/14 1:56 AM, 이강우(KangWoo Lee) wrote: > > ok I undertand. > > > > -> the session identifier should change to prevent session-fixation > > attacks. > > > > but how I can set tomcat to regenerate id value? I was search > > document, but can't find it > > I'm not sure what you are asking. Can you ask in a different way? Do > you want Tomcat to reject the requested (invalid) session id and > generate a new one instead? > > - -chris > > > 2014-10-22 22:44 GMT+09:00 Christopher Schultz > > <ch...@christopherschultz.net > >> : > > > > 이강우, > > > > On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote: > >>>> Environment - openjdk 1.7 - tomcat 7.0.55 with native > >>>> connector - apache 2.4.10 with mod-jk 1.2.40 > >>>> > >>>> 1. Tomcat start 2. Client request -> JSESSIONID is null 3. > >>>> tomcat response -> > >>>> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create 4. > >>>> refresh page -> session attribute(name=count, value=count++) > >>>> is correct. count is increasing. > > > > Good so far. > > > >>>> 5. Tomcat stop -> start (restart) context setting is session > >>>> is not persist > > > > Okay. > > > >>>> 6. Client refresh -> client request is send > >>>> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session > >>>> attribute(name=count, value=0) is reset. but keeping > >>>> JSESSIONID > >>>> > >>>> question. why tomcat using JSESSIONID set by client request > >>>> value? is not regenerate? > > > > If the client requests a session by id, Tomcat will try to give it > > to them. If it doesn't exist, it will use that session identifier > > for the new session. > > > > Did the user actually authenticate with Tomcat? Or just get an > > anonymous session? If the user authenticates with Tomcat, the > > session identifier should change to prevent session-fixation > > attacks. > > > >>>> is this java spec? > > > > I believe the spec says nothing about the generation of session > > ids. Even the above session-fixation behavior is outside of the > > spec (but definitely does not violate it). > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUSSGuAAoJEBzwKT+lPKRYHZcP+weLH/AgmnVPs6dxiXG+Qjtg > ndtap6eKAuys+LBmHYQCki780cmmnX0UZg8sEVENPJ+GSRRuni3/S8RwixTnA4Lv > YbuEov2d0oxTI+ZzH0HSR40nYPSzKY3m/yzMlB4y+JrvA3ousxiIDZ07tkM6LvCq > 6Cpn54Bd7InbHWJJJXNyn8iA+snxuJe1QfpxkiFVPrjgZgRFJfsOWCUHN6qsETYG > EvydlCTR/9b2yPkqApEiYLULSG+K70Wtupp8pPB0jM0dP1i16qZa1SGMh79lP9kO > FZ3H8PoPwnSluSRefyPnQgCTIWQEP89sJ4Q1fCCN4r/axUgyI6OEWuZ/MGOaN4yg > Y37sUrcauRCy+Sfh8x7IIJpnVeOZcyPO4sDrmDjySTNKis5hdtpxwNuTY97XxHe+ > 2bD3jierVw05T4lj6zOraRo2yrzVVWujd1RUJ8vCMBnx6l3rvzxGp+10sUqePyeF > nhc3rWg1vWcdxXDDJ8p853Xb5k1MuR1rQg2kJ9AWJDfMZULi80awPZYQuJOC9O/n > TFGKcLsXM0xp6ND0ItdLgzTXlj8xhPDvNGp438KSD16ofm27dWM++btD4Ss3DoVs > Vu+xwL2td0nx94+jEJgibi4SVCCVkgNzO5vu/uyxVFE1oBGxo6OSQTnp4UDc5KkY > DQ2jHJBmVqVHwxOxS4j7 > =wFKq > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
