Hello,
I am upgrading my applications from Tomcat 6.0.18 to 6.0.24 and come across the
following problem with the protection mechanism against session fixation
attacks. During authentication my Authenticator implementation requires access
to the HTTP session before it invokes method register(request, response,
principal, authType, username, password). When it accesses the HTTP session the
Response is instructed to send Set-Cookie with a newly generated JSESSIONID and
immediately after that - as part of the register method invocation - the
Request is instructed to change the JSESSIONID. The problem is that
Request.changeSessionId does not check whether the response is already
instructed to issue a Set-Cookie header for the session ID and simply adds a
second cookie to be sent to the browser. The HTTP response contains two
Set-Cookie headers for JSESSIONID with different values, where the second is
the newest one. As MS IE uses the first cookie it receives it is
not able to connect to the session with next requests.
I tried to find information on this problem in the documentation, bug database,
etc, but with no success. Is this issue already known or should I report it as
a bug?
Kind regards,
Stephan
