[
http://jira.magnolia-cms.com/browse/MAGNOLIA-3248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=29019#action_29019
]
Grégory Joseph commented on MAGNOLIA-3248:
------------------------------------------
We could additionally drop cookies when logging in/out, but I'm unsure if/how
this would affect cookie-less users.
Tomcat provides valves that actually take care of this problem:
http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html - but these are only
useful when using tomcat's own auth system, and use tomcat-specific code to
achieve the id change.
> Invalidate session
> ------------------
>
> Key: MAGNOLIA-3248
> URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-3248
> Project: Magnolia
> Issue Type: Improvement
> Components: core, security
> Affects Versions: 4.3.2
> Reporter: Grégory Joseph
> Assignee: Philipp Bärfuss
> Fix For: 4.3.x
>
>
> Two issues in one:
> * when logging out, the session is invalidated, but somehow a session gets
> recreated with the same ID as previously (but session.isNew() is true) for
> the anonymous user (while there is no session for anonymous users if no
> session existed previously)
> * when logging in, the existing session is *not* invalidated, and likewise,
> the same session ID is kept.
> This behavior is seen as a threat by security inspecting systems. At the very
> least, we should indeed invalidate an existing session when logging in.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
For list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------
