Re: is normal keep value when tomcat restart after JSESSIONID was create?
I found a causes. set the context attribute sessioncookiepath="/" is same affect of emptysessionpath. tomcat document says if set emptysessionpath then yomcat using session id value of client request. I solve it. thanks to your comment. 2014. 10. 24. 오전 12:42에 "Christopher Schultz" 님이 작성: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > 이강우, > > On 10/23/14 1:56 AM, 이강우(KangWoo Lee) wrote: > > ok I undertand. > > > > -> the session identifier should change to prevent session-fixation > > attacks. > > > > but how I can set tomcat to regenerate id value? I was search > > document, but can't find it > > I'm not sure what you are asking. Can you ask in a different way? Do > you want Tomcat to reject the requested (invalid) session id and > generate a new one instead? > > - -chris > > > 2014-10-22 22:44 GMT+09:00 Christopher Schultz > > >> : > > > > 이강우, > > > > On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote: > Environment - openjdk 1.7 - tomcat 7.0.55 with native > connector - apache 2.4.10 with mod-jk 1.2.40 > > 1. Tomcat start 2. Client request -> JSESSIONID is null 3. > tomcat response -> > JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create 4. > refresh page -> session attribute(name=count, value=count++) > is correct. count is increasing. > > > > Good so far. > > > 5. Tomcat stop -> start (restart) context setting is session > is not persist > > > > Okay. > > > 6. Client refresh -> client request is send > JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session > attribute(name=count, value=0) is reset. but keeping > JSESSIONID > > question. why tomcat using JSESSIONID set by client request > value? is not regenerate? > > > > If the client requests a session by id, Tomcat will try to give it > > to them. If it doesn't exist, it will use that session identifier > > for the new session. > > > > Did the user actually authenticate with Tomcat? Or just get an > > anonymous session? If the user authenticates with Tomcat, the > > session identifier should change to prevent session-fixation > > attacks. > > > is this java spec? > > > > I believe the spec says nothing about the generation of session > > ids. Even the above session-fixation behavior is outside of the > > spec (but definitely does not violate it). > > > > -chris > >> > >> - > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUSSGuAAoJEBzwKT+lPKRYHZcP+weLH/AgmnVPs6dxiXG+Qjtg > ndtap6eKAuys+LBmHYQCki780cmmnX0UZg8sEVENPJ+GSRRuni3/S8RwixTnA4Lv > YbuEov2d0oxTI+ZzH0HSR40nYPSzKY3m/yzMlB4y+JrvA3ousxiIDZ07tkM6LvCq > 6Cpn54Bd7InbHWJJJXNyn8iA+snxuJe1QfpxkiFVPrjgZgRFJfsOWCUHN6qsETYG > EvydlCTR/9b2yPkqApEiYLULSG+K70Wtupp8pPB0jM0dP1i16qZa1SGMh79lP9kO > FZ3H8PoPwnSluSRefyPnQgCTIWQEP89sJ4Q1fCCN4r/axUgyI6OEWuZ/MGOaN4yg > Y37sUrcauRCy+Sfh8x7IIJpnVeOZcyPO4sDrmDjySTNKis5hdtpxwNuTY97XxHe+ > 2bD3jierVw05T4lj6zOraRo2yrzVVWujd1RUJ8vCMBnx6l3rvzxGp+10sUqePyeF > nhc3rWg1vWcdxXDDJ8p853Xb5k1MuR1rQg2kJ9AWJDfMZULi80awPZYQuJOC9O/n > TFGKcLsXM0xp6ND0ItdLgzTXlj8xhPDvNGp438KSD16ofm27dWM++btD4Ss3DoVs > Vu+xwL2td0nx94+jEJgibi4SVCCVkgNzO5vu/uyxVFE1oBGxo6OSQTnp4UDc5KkY > DQ2jHJBmVqVHwxOxS4j7 > =wFKq > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: is normal keep value when tomcat restart after JSESSIONID was create?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 이강우, On 10/23/14 1:56 AM, 이강우(KangWoo Lee) wrote: > ok I undertand. > > -> the session identifier should change to prevent session-fixation > attacks. > > but how I can set tomcat to regenerate id value? I was search > document, but can't find it I'm not sure what you are asking. Can you ask in a different way? Do you want Tomcat to reject the requested (invalid) session id and generate a new one instead? - -chris > 2014-10-22 22:44 GMT+09:00 Christopher Schultz > > : > > 이강우, > > On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote: Environment - openjdk 1.7 - tomcat 7.0.55 with native connector - apache 2.4.10 with mod-jk 1.2.40 1. Tomcat start 2. Client request -> JSESSIONID is null 3. tomcat response -> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create 4. refresh page -> session attribute(name=count, value=count++) is correct. count is increasing. > > Good so far. > 5. Tomcat stop -> start (restart) context setting is session is not persist > > Okay. > 6. Client refresh -> client request is send JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session attribute(name=count, value=0) is reset. but keeping JSESSIONID question. why tomcat using JSESSIONID set by client request value? is not regenerate? > > If the client requests a session by id, Tomcat will try to give it > to them. If it doesn't exist, it will use that session identifier > for the new session. > > Did the user actually authenticate with Tomcat? Or just get an > anonymous session? If the user authenticates with Tomcat, the > session identifier should change to prevent session-fixation > attacks. > is this java spec? > > I believe the spec says nothing about the generation of session > ids. Even the above session-fixation behavior is outside of the > spec (but definitely does not violate it). > > -chris >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUSSGuAAoJEBzwKT+lPKRYHZcP+weLH/AgmnVPs6dxiXG+Qjtg ndtap6eKAuys+LBmHYQCki780cmmnX0UZg8sEVENPJ+GSRRuni3/S8RwixTnA4Lv YbuEov2d0oxTI+ZzH0HSR40nYPSzKY3m/yzMlB4y+JrvA3ousxiIDZ07tkM6LvCq 6Cpn54Bd7InbHWJJJXNyn8iA+snxuJe1QfpxkiFVPrjgZgRFJfsOWCUHN6qsETYG EvydlCTR/9b2yPkqApEiYLULSG+K70Wtupp8pPB0jM0dP1i16qZa1SGMh79lP9kO FZ3H8PoPwnSluSRefyPnQgCTIWQEP89sJ4Q1fCCN4r/axUgyI6OEWuZ/MGOaN4yg Y37sUrcauRCy+Sfh8x7IIJpnVeOZcyPO4sDrmDjySTNKis5hdtpxwNuTY97XxHe+ 2bD3jierVw05T4lj6zOraRo2yrzVVWujd1RUJ8vCMBnx6l3rvzxGp+10sUqePyeF nhc3rWg1vWcdxXDDJ8p853Xb5k1MuR1rQg2kJ9AWJDfMZULi80awPZYQuJOC9O/n TFGKcLsXM0xp6ND0ItdLgzTXlj8xhPDvNGp438KSD16ofm27dWM++btD4Ss3DoVs Vu+xwL2td0nx94+jEJgibi4SVCCVkgNzO5vu/uyxVFE1oBGxo6OSQTnp4UDc5KkY DQ2jHJBmVqVHwxOxS4j7 =wFKq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: is normal keep value when tomcat restart after JSESSIONID was create?
ok I undertand. -> the session identifier should change to prevent session-fixation attacks. but how I can set tomcat to regenerate id value? I was search document, but can't find it 2014-10-22 22:44 GMT+09:00 Christopher Schultz : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > 이강우, > > On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote: > > Environment - openjdk 1.7 - tomcat 7.0.55 with native connector - > > apache 2.4.10 with mod-jk 1.2.40 > > > > 1. Tomcat start 2. Client request -> JSESSIONID is null 3. tomcat > > response -> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create > > 4. refresh page -> session attribute(name=count, value=count++) is > > correct. count is increasing. > > Good so far. > > > 5. Tomcat stop -> start (restart) context setting is session is > > not persist > > Okay. > > > 6. Client refresh -> client request is send > > JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session > > attribute(name=count, value=0) is reset. but keeping JSESSIONID > > > > question. why tomcat using JSESSIONID set by client request value? > > is not regenerate? > > If the client requests a session by id, Tomcat will try to give it to > them. If it doesn't exist, it will use that session identifier for the > new session. > > Did the user actually authenticate with Tomcat? Or just get an > anonymous session? If the user authenticates with Tomcat, the session > identifier should change to prevent session-fixation attacks. > > > is this java spec? > > I believe the spec says nothing about the generation of session ids. > Even the above session-fixation behavior is outside of the spec (but > definitely does not violate it). > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUR7S/AAoJEBzwKT+lPKRYdT4P/3HHrY/yEJmZUWFuyAlAIgkG > J14ix608FsWkGtsIKwh7RxgArSx3eH7niswJ8FxHljZJQThlasInz8SJlFzGYBvA > +++56BziHVRAc+vn00/yOjzO+GW73fm+vjcnL/i6tIYLiX3YT2qd+iWV34YYBnVJ > X0ZS6Kz2+YmkbzN9ccGp8ZWq51jqZtVsPSzEpKmdp2mf2s48O3cQlCNiw6Q5CVCr > a0IU//ciwnkF50l5T2h4oZOV0L0ZraPgbAzf2lNpazNjSnAF3DpG2uVJc9OLIZXy > ZBA3SM+MoLiYDbR5Wv02zx1ifDraMMrVSfeYL6zEpz5tIqeJ4wYSf2iyrkzG2fOr > lnCdVDh1s2hRuVOsQlh8UkG86NQecc8eK6QCCviT5bSS02KK202+i/Z8uW8h4SVT > wMyNv4vsPBgCauM5mugWiTu8T1Ae8fqIznXOImal7sVyQrE20mePkhEo6LqD6NXf > loY55Uul/m0x52fL3/Z9czkJaWhOVd6bRdYgZH/g90CvPVzQZhBBwS15FTgjsxMU > /IslHCv+u3aOr5HxwW4Rl83ifFM2b0tf/X/VKAqRekgz6OJF1HP4J4HN79ecdC/J > +R+J5eo/L5hlbUbbWaH86X7Qm6rG7XoDwkaFA+6AkDfw/2/Whv11a3C8OlLhltKY > oqUECCMeOaec6twMZLG4 > =3oOa > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: is normal keep value when tomcat restart after JSESSIONID was create?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 이강우, On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote: > Environment - openjdk 1.7 - tomcat 7.0.55 with native connector - > apache 2.4.10 with mod-jk 1.2.40 > > 1. Tomcat start 2. Client request -> JSESSIONID is null 3. tomcat > response -> JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create > 4. refresh page -> session attribute(name=count, value=count++) is > correct. count is increasing. Good so far. > 5. Tomcat stop -> start (restart) context setting is session is > not persist Okay. > 6. Client refresh -> client request is send > JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session > attribute(name=count, value=0) is reset. but keeping JSESSIONID > > question. why tomcat using JSESSIONID set by client request value? > is not regenerate? If the client requests a session by id, Tomcat will try to give it to them. If it doesn't exist, it will use that session identifier for the new session. Did the user actually authenticate with Tomcat? Or just get an anonymous session? If the user authenticates with Tomcat, the session identifier should change to prevent session-fixation attacks. > is this java spec? I believe the spec says nothing about the generation of session ids. Even the above session-fixation behavior is outside of the spec (but definitely does not violate it). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUR7S/AAoJEBzwKT+lPKRYdT4P/3HHrY/yEJmZUWFuyAlAIgkG J14ix608FsWkGtsIKwh7RxgArSx3eH7niswJ8FxHljZJQThlasInz8SJlFzGYBvA +++56BziHVRAc+vn00/yOjzO+GW73fm+vjcnL/i6tIYLiX3YT2qd+iWV34YYBnVJ X0ZS6Kz2+YmkbzN9ccGp8ZWq51jqZtVsPSzEpKmdp2mf2s48O3cQlCNiw6Q5CVCr a0IU//ciwnkF50l5T2h4oZOV0L0ZraPgbAzf2lNpazNjSnAF3DpG2uVJc9OLIZXy ZBA3SM+MoLiYDbR5Wv02zx1ifDraMMrVSfeYL6zEpz5tIqeJ4wYSf2iyrkzG2fOr lnCdVDh1s2hRuVOsQlh8UkG86NQecc8eK6QCCviT5bSS02KK202+i/Z8uW8h4SVT wMyNv4vsPBgCauM5mugWiTu8T1Ae8fqIznXOImal7sVyQrE20mePkhEo6LqD6NXf loY55Uul/m0x52fL3/Z9czkJaWhOVd6bRdYgZH/g90CvPVzQZhBBwS15FTgjsxMU /IslHCv+u3aOr5HxwW4Rl83ifFM2b0tf/X/VKAqRekgz6OJF1HP4J4HN79ecdC/J +R+J5eo/L5hlbUbbWaH86X7Qm6rG7XoDwkaFA+6AkDfw/2/Whv11a3C8OlLhltKY oqUECCMeOaec6twMZLG4 =3oOa -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org