[jira] [Created] (JS2-1359) Retain Session on Login Feature broken

David Sean Taylor (JIRA) Thu, 30 Nov 2017 11:05:32 -0800

David Sean Taylor created JS2-1359:
--------------------------------------

             Summary: Retain Session on Login Feature broken
                 Key: JS2-1359
                 URL: https://issues.apache.org/jira/browse/JS2-1359
             Project: Jetspeed 2
          Issue Type: Bug
          Components: Security
    Affects Versions: 2.3.1
            Reporter: David Sean Taylor
            Assignee: David Sean Taylor
             Fix For: 2.3.2



With Tomcat 6, keeping the same session from guest state to logged in state was 
default behavior. With Tomcat 7, to address Session Fixation attacks, this 
behavior was locked down, see:

https://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomcat-7-The-New-and-the-Improved.htm

Tomcat 7 and 8 suports a setting in context.xml to configure this behavior:

https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html

changeSessionIdOnAuthentication 

Controls if the session ID is changed if a session exists at the point where 
users are authenticated. This is to prevent session fixation attacks. If not 
set, the default value of true will be used.

<Valve className="org.apache.catalina.authenticator.FormAuthenticator" 
characterEncoding="UTF-8" changeSessionIdOnAuthentication="false"/>





--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org
For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org

[jira] [Created] (JS2-1359) Retain Session on Login Feature broken

Reply via email to