Hi, I was discussing the problem of session fixation [1] on the tomcat-users list [2] and thought that it would be interesting to hear an opinion of a developer on that subject.
Basically, I'd like to know what you think about a feature request/bug report that the tomcat container should take care of session fixation by automatically renew the session (or at least its id) upon a successful login. Unfortunately, the possibilities to hook into the login process (e.g. when using form-based login) are rather limited. When providing an own realm implementation, it is not possible to gain access to the current session AFAIK. What is left (and what I have done): Come up with an own valve implementation that tries to fix the problem. However, this seems a rather clumsy way to fight the problem. If you think a request would be a bad idea, how would you fight the problem? Thanks. kind regards, christoph [1]: http://www.owasp.org/index.php/Session_Fixation [2]: http://mail-archives.apache.org/mod_mbox/tomcat-users/200802.mbox/[EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
