David Sean Taylor created JS2-1359:
--------------------------------------
Summary: Retain Session on Login Feature broken
Key: JS2-1359
URL: https://issues.apache.org/jira/browse/JS2-1359
Project: Jetspeed 2
Issue Type: Bug
Components: Security
Affects Versions: 2.3.1
Reporter: David Sean Taylor
Assignee: David Sean Taylor
Fix For: 2.3.2
With Tomcat 6, keeping the same session from guest state to logged in state was
default behavior. With Tomcat 7, to address Session Fixation attacks, this
behavior was locked down, see:
https://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomcat-7-The-New-and-the-Improved.htm
Tomcat 7 and 8 suports a setting in context.xml to configure this behavior:
https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html
changeSessionIdOnAuthentication
Controls if the session ID is changed if a session exists at the point where
users are authenticated. This is to prevent session fixation attacks. If not
set, the default value of true will be used.
<Valve className="org.apache.catalina.authenticator.FormAuthenticator"
characterEncoding="UTF-8" changeSessionIdOnAuthentication="false"/>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
