Dear all, I'm currently trying to find a way to fight "Session Fixation" (http://www.owasp.org/index.php/Session_Fixation) in tomcat when using the built -in mechanisms to authenticate users of a servlet. In the environment in question, an own realm implementation is in place and we use the SingleSignOn feature as well.
I've asked google and also looked through this list, but I couldn't find anything on the subject. So, my question is: Has anyone out there successfully solved this problem and has a solution that integrates neatly with the standard authentication mechanisms tomcat provides? Or is it in fact not a problem at all? A common solution to fix the problem is to renew the session (or at least it's id) right before/after the user is authenticated (i.e. in the same request). I came up with a custom valve that kind of does the job, but I'm really not sure whether this is the way to go or if I'm messing too much with tomcat internals. Thanks for any help. Kind regards, Christoph --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]