https://issues.apache.org/bugzilla/show_bug.cgi?id=51631
Bug #: 51631
Summary: Bug in the Session Fixation Protection Feature
Product: Tomcat 7
Version: 7.0.12
Platform: PC
Status: NEW
Severity: major
Priority: P2
Component: Catalina
AssignedTo: [email protected]
ReportedBy: [email protected]
Classification: Unclassified
Created attachment 27359
--> https://issues.apache.org/bugzilla/attachment.cgi?id=27359
The AuthenticatorBase.java file with fix
Bug in the Session Fixation Protection Feature
The Session Fixation Protection feature was added to Apache Tomcat 7 and Apache
Tomcat 6.
The feature can be problematic if an application does not use Form
Authenticator and in addition the application creates a session.
In this case the session will not be created by an authenticator and upon the
next request the session fixation protection feature in the authenticator will
recreate the session. The problem, that the application can lose its state.
How to fix the bug?
Please find attached patch for Apache Tomcat 7
The fix will allow to authenticator to create a session upon the authentication
and the application will not require to create a session.
Tomcat 7 already has variable alwaysUseSession, but unfortunately it is not
possible to configure it.
BTW, I think that better name for the variable is enforceSessionCreation
When it will be released, it will be required to configure context of your
application (not the main context $CATALINA_BASE/conf/context.xml)
<Context>
<Valve className="org.apache.catalina.authenticator.BasicAuthenticator"
alwaysUseSession="true"/>
</Context>
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
