I can see in our log files that we log the session ID as part of the authentication process.... so it's probable that our authentication code needs a bit more work to accommodate the changing session ID. I'll see if I can figure it out. ________________________________________ From: Christopher Schultz [ch...@christopherschultz.net] Sent: Thursday, September 10, 2015 2:57 PM To: Tomcat Users List Subject: Re: seeking help with stabilizing the persistence of a JSESSIONID
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hardy, On 9/10/15 3:36 PM, Pottinger, Hardy J. wrote: >> putting Serializable objects in the session is surely a good >> idea in general. > > I agree, especially, as you mention, if we intend to distribute > sessions among various containers. > >> Tomcat's session-fixation-prevention amounts to changing the >> session identifier while keeping the session in-tact. So unless >> you are using distributable sessions, this is unlikely to be the >> problem. > > You're absolutely right. I now have a serialized attribute, which > is still lost upon the creation of the new session. Is there > anything similar I can try, to ensure that the session attributes > from the previous session are faithfully copied to the new session, > after session-fixation-prevention does its thing? It's simpler than you think. Tomcat really does nothing other than this after successful authentication: session.setSessionId(randomNewSessionId); The "new" session is in fact the same as the old session -- it just has a new identifier. The client will get a Set-Cookie response changing the JSESSIONID cookie value, and any URLs encoded with HttpServletResponse.encodeURL or HttpServletResponse.encodeRedirectURL will include the updated session identifier (if appropriate). So the "loss" of your session attribute is puzzling. You could write a noisy HttpSessionAttributeListener that logs every session-attribute event (with a stack trace) to see if that attribute is being removed elsewhere. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV8eCiAAoJEBzwKT+lPKRYYoAP/3oMiZPb3Dwe8Ty74DEtvg5D FD4aWQv4hkyhKDCpFAfpVkZYy/Y6sokF2SJteX5INALZ0Uq+w7NKR8z1LdtSAklF 867e/UKYryJnCSlYj2qbitmc9uZ5ivjfWa1lnl/umYsS4lo5RfYOhEJsCahWtOuo O2DyGcIICqdLQ7W/3kw4Yk+ykypAmGSbmrbUHACVvEAm4318q/W+2oEPwEkmxw3f qyW/RGtHaLndpruU+p+4uxGh+b/N3RE/R8ZTWvjLtTfIe/XgZyqb+2C3MmV/BbBC D9IEAqRPchXbnOKBry6j9CYrtWtl9fj2HjbLaXg/ZgNQkDf39gtFB/bdIZVvbcex CqsCZ9Gm56Cv84O0fWZghXj+kVA0U7vimzeaig8//d3O7OuyzcKOyqvn7/QyQmh5 VVLVVeoVitrio4nlcbrIvAxDf3XUUztDq0YXow0v569emuHnbFikoYNjHcfKaj52 jCEwHrPVPHId0mh22+7lFAIjMjxb6a/vJUwfD0pU+JKlqklMtZmaW2lpyH72J4n5 8VbbLQvrZbi85UfkHhoYmU5/0RdWIlMSuMNXW7EMPZ+EYVaJWMhndyVN0dON3/fV PojLz02Ye1EQn4kdyiaD288NGtoCyXfc9+tcMgm3e3sBZuMbCy9NwdjVrx9ChVcO QS8LMEVu0FMhri8oNk/p =lKTi -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
