[
https://issues.apache.org/jira/browse/JS2-1359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Sean Taylor resolved JS2-1359.
------------------------------------
Resolution: Fixed
provided example changeSessionIdOnAuthentication attribute in context.xml, but
defaulted it to secure setting of true. If you need the old behavior, set
changeSessionIdOnAuthentication=false
> Retain Session on Login Feature broken
> --------------------------------------
>
> Key: JS2-1359
> URL: https://issues.apache.org/jira/browse/JS2-1359
> Project: Jetspeed 2
> Issue Type: Bug
> Components: Security
> Affects Versions: 2.3.1
> Reporter: David Sean Taylor
> Assignee: David Sean Taylor
> Fix For: 2.3.2
>
>
> With Tomcat 6, keeping the same session from guest state to logged in state
> was default behavior. With Tomcat 7, to address Session Fixation attacks,
> this behavior was locked down, see:
> https://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomcat-7-The-New-and-the-Improved.htm
> Tomcat 7 and 8 suports a setting in context.xml to configure this behavior:
> https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html
> changeSessionIdOnAuthentication
> Controls if the session ID is changed if a session exists at the point where
> users are authenticated. This is to prevent session fixation attacks. If not
> set, the default value of true will be used.
> <Valve className="org.apache.catalina.authenticator.FormAuthenticator"
> characterEncoding="UTF-8" changeSessionIdOnAuthentication="false"/>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
