Well, at least you do a bit of protection instead of just disabling the session fixation security filter. However, be aware that potentially many people might come from the same IP address - either because it's a NATing home router or a big company's proxy server. Especially if you want to attack someone who's in the same network as yourself, this IP-based protection is quite useless.
I think I'm seeing the problems, and as long as you know what you're doing and you accept the unavoidable consequences of this lower grade protection, everything is fine. It still sounds funny that the session is not available with the next requests... Might be worth to try different browsers for their timing on the receipt of the cookie Also, as you call HttpServletRequest.login manually, double check that you're doing this before the response is committed to the client, specifically before any other (old) session id cookie is already in the response stream. It sounds weird, but might help you debug further (note that I'm not looking at tomcat's code. Apologies if I'm not making sense) Olaf Am 11.01.2016 um 21:52 schrieb Thomas Scheffler: > > I will file two bugs soon describing the issues I had. Hopefully they > will be fixed. > > 1.) if using HttpServetRequest.login(String, String) further request > in the session are loosing the users Principal. > > 2.) After changing sessionId, old sessionIds should still be valid for > a short period of time of to the same client. > > Fixing one of these would cause the bug to disappear. > > To prevent session fixation attacks, I use IP address checking so that > sessions are bound to the same IP address. > > Thanks to all the responses. Without you help it would have not been > possible to get this fixed after two month of searching! > > kind regards, > > Thomas > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org