Re: Notifying application of session changes that happened outside of it's scope

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 3/14/14, 11:28 AM, Konstantin Kolinko wrote: > 2014-03-14 19:04 GMT+04:00 Christopher Schultz > : >> Joseph, >> >> On 3/14/14, 9:49 AM, Joesph Bleau wrote: >>> I should also mention that after some very simple testing I >>> was able

Re: Notifying application of session changes that happened outside of it's scope

Would anybody be surprised if I mentioned that we're running an outdated of tomcat? Thanks for the tip. I'm going to remove Spring's session fixation prevention strategy, and also remove the custom valve I had written and upgrade to a version unaffected by this and test. This is going to alleviate

Re: Notifying application of session changes that happened outside of it's scope

2014-03-14 19:04 GMT+04:00 Christopher Schultz : > Joseph, > > On 3/14/14, 9:49 AM, Joesph Bleau wrote: >> I should also mention that after some very simple testing I was >> able to confirm that (of course) Tomcat is notifying my application >> when the session is invalidated in a valve. I'm still

Re: Notifying application of session changes that happened outside of it's scope

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Joseph, On 3/14/14, 9:49 AM, Joesph Bleau wrote: > I should also mention that after some very simple testing I was > able to confirm that (of course) Tomcat is notifying my application > when the session is invalidated in a valve. I'm still fairly n

Re: Notifying application of session changes that happened outside of it's scope

I should also mention that after some very simple testing I was able to confirm that (of course) Tomcat is notifying my application when the session is invalidated in a valve. I'm still fairly new to this entire stack, so forgive my ignorance. :-) Cheers. On Fri, Mar 14, 2014 at 9:46 AM, Joesph

Re: Notifying application of session changes that happened outside of it's scope

It's possible (read: likely) that we're doing something incorrectly, but we're using Spring and it was already attempting to provide session fixation within the application by invalidating sessions upon authentication. However, it appears that tomcat was providing us with the same session ID for ou

Re: Notifying application of session changes that happened outside of it's scope

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Joseph, On 3/14/14, 5:59 AM, Joesph Bleau wrote: > Right now we're running our application in Tomcat and using > hazelcast to share information across our multiple instances. In an > attempt to prevent session fixation I implemented a tomcat valve >

Notifying application of session changes that happened outside of it's scope

Hi all, Right now we're running our application in Tomcat and using hazelcast to share information across our multiple instances. In an attempt to prevent session fixation I implemented a tomcat valve which invalidates sessions when a user authenticates (or in this case, just visits the authentica