context.xml

markt Fri, 04 Oct 2013 14:49:25 -0700

Author: markt
Date: Fri Oct  4 21:48:16 2013
New Revision: 1529321

URL: http://svn.apache.org/r1529321
Log:
Expand note in docs regarding use of sessionCookiePath="/".


Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
    tomcat/tc7.0.x/trunk/webapps/docs/config/context.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1529317

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1529321&r1=1529320&r2=1529321&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Oct  4 21:48:16 2013
@@ -111,6 +111,11 @@
         Ensure Javadoc comments are associated with the correct elements in
         <code>org.apache.tomcat.jni.Poll</code>. (markt)
       </fix>
+      <add>
+        Expand Context documentation for the use of
+        <code>sessionCookiePath=&quot;/&quot;</code> to make the implications
+        for session fixation protection clearer. (markt)
+      </add>
     </changelog>
   </subsection>
 </section>

Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/context.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/context.xml?rev=1529321&r1=1529320&r2=1529321&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/context.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/context.xml Fri Oct  4 21:48:16 
2013
@@ -448,6 +448,14 @@
         useful for portlet specification implementations) set this attribute to
         <code>/</code> in the global 
<code>CATALINA_BASE/conf/context.xml</code>
         file.</p>
+        <p>Note: Once one web application using
+        <code>sessionCookiePath=&quot;/&quot;</code> obtains a session, all
+        subsequent sessions for any other web application in the same host also
+        configured with <code>sessionCookiePath=&quot;/&quot;</code> will 
always
+        use the same session ID. This holds even if the session is invalidated
+        and a new one created. This makes session fixation protection more
+        difficult and requires custom, Tomcat specific code to change the
+        session ID shared by the multiple applications.</p>
       </attribute>
 
       <attribute name="sessionCookiePathUsesTrailingSlash" required="false">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1529321 - in /tomcat/tc7.0.x/trunk: ./ webapps/docs/changelog.xml webapps/docs/config/context.xml

Reply via email to