> Are you actually using HTTP Basic authentication? You may be configuring > the wrong authenticator. (I know nothing about Shibboleth)
I'm using Apache HTTPD as a front-end (via mod_proxy) for Tomcat, since Shibboleth works (mostly) with Apache HTTPD. So, the authentication happens on the HTTPD side. I am now trying different values for Authenticators (feeling rather silly, but willing to try)... https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/authenticator/package-summary.html --Hardy ________________________________________ From: Christopher Schultz [ch...@christopherschultz.net] Sent: Thursday, September 03, 2015 12:00 PM To: Tomcat Users List Subject: Re: seeking help with stabilizing the persistence of a JSESSIONID -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hardy, On 9/3/15 12:52 PM, Pottinger, Hardy J. wrote: > Hi, I'm trying to disable session-fixation-attack protection on > our test server, and I've added the following valve to both my > application's context-fragment file, as well as the main > context.xml file: > > <Valve > className="org.apache.catalina.authenticator.BasicAuthenticator" > changeSessionIdOnAuthentication="false" alwaysUseSession="true"/> Are you actually using HTTP Basic authentication? You may be configuring the wrong authenticator. (I know nothing about Shibboleth). > However, after several Tomcat restarts, I can still see the > session cookie change after authentication. > > I'm wondering if perhaps the problem is that this isn't Tomcat > authentication, but HTTPD authentication, via the Shibboleth > module on Apache. Perhaps, but Tomcat is always the arbiter of your session identifier. Are you even using an authenticator in Tomcat? What is your <auth-method> in web.xml say? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV6HzCAAoJEBzwKT+lPKRY03cQAI0jlkvH+bLotz3wFo895a4v 7a+AsrP7zpIErjC5oMMzRXwqpXbxkBX93Yc7h5xH08iW3KeqmPAz2R3SF1BTmbsW 1julPHxo1VDc00siTNflWgxHk3JHn/OD08YlUolVLYxAEgoCj8oZ/m8wmWyNAkmX LuW23mr32l+QmPvFWQbwlaQzt4uGrt2f1nq24wWP3ZZ+NhoZLhFyEqYVnq2KQ7PS gyvRjnhGZJ+EuVyL8N3rna0yTyKVHIrh9amTduOx1XwC85+3QLvQDhpIFjVSAm3L Bbpoi81rHnZHVfGNO6HGf2oJRmCJAg3s1iLbY2gTG5PsXUtu4PoKTaMUHPJbKS43 BhoTacODdsa0IdGeDlFX3vjUfGMYh7ymo+a43FscOLsbMyZJAZRjAFD26oHislcb RYaYYIRseXHir65NxlDn/lvdFNllqOJtcBXKB2kFZlDPNUcuizR17bZV6BzJi0bG iQWej2JbYSfOKHLCd9mkQO7iI9eklwNXHxyoAPFP2aSP6Hu5hispKtckO2Pu3UOW VqEsH929MD9XMCe/wea0WxW+JmQDFmFZZxHDYfGisJ1v5wSKStjH6mNZZR1tmCpm tPIJDcgUB4ag2k+pkzs35QVYBgaXRbh3S2/XMlXHoMhzSZd+ciPPGa96Zll2TEZR puMLQsH0udM3ptXfWDBR =6J0h -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
