Uploaded image for project: 'Jetspeed 2 (Retired)'
  1. Jetspeed 2 (Retired)
  2. JS2-1359

Retain Session on Login Feature broken

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.3.1
    • 2.3.2
    • Security
    • None

    Description

      With Tomcat 6, keeping the same session from guest state to logged in state was default behavior. With Tomcat 7, to address Session Fixation attacks, this behavior was locked down, see:

      https://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomcat-7-The-New-and-the-Improved.htm

      Tomcat 7 and 8 suports a setting in context.xml to configure this behavior:

      https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html

      changeSessionIdOnAuthentication

      Controls if the session ID is changed if a session exists at the point where users are authenticated. This is to prevent session fixation attacks. If not set, the default value of true will be used.

      <Valve className="org.apache.catalina.authenticator.FormAuthenticator" characterEncoding="UTF-8" changeSessionIdOnAuthentication="false"/>

      Attachments

        Activity

          People

            taylor David Sean Taylor
            taylor David Sean Taylor
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: