https://bz.apache.org/bugzilla/show_bug.cgi?id=60854
Mark Thomas changed:
What|Removed |Added
Resolution|--- |WONTFIX
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854
--- Comment #9 from Jan Engehausen ---
Hi Mark,
I can confirm that alwaysUseSession="true" does make all tests of the test
project pass. In our real life setup we do have a custom authenticator and can
implement the
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854
--- Comment #8 from Mark Thomas ---
It is worth keeping in mind the change in session ID is relatively cheap. The
session object remains the same, it is just the ID field that is updated.
Using alwaysUseSession="true" on the
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854
--- Comment #7 from Jan Engehausen ---
I am using org.apache.catalina.authenticator.BasicAuthenticator directly with
default settings (cache="true" and changeSessionIdOnAuthentication="true").
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854
--- Comment #6 from Christopher Schultz ---
Your example does not show it; are you using cache="false" in your basic
authenticator valve? You'd have to go through some hoops to effect that change.
--
You are
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854
--- Comment #5 from Jan Engehausen ---
So, we discussed this and still think that in the particular scenario described
(authentication and session creation in the same request), a subsequent request
should not get a new
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854
--- Comment #4 from Jan Engehausen ---
I see. I need to run this by my colleagues, hope it is okay to keep open until
tomorrow.
I would argue that in the case where authentication and session creation occur
in the same
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854
--- Comment #3 from Remy Maucherat ---
If you don't cache authentication occurs on every request.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854
--- Comment #2 from Jan Engehausen ---
Hello Remy,
as far as I understand, session fixation prevention is there to change the
session ID when a session becomes authenticated. That's good.
But without a session to begin
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854
--- Comment #1 from Remy Maucherat ---
My opinion is that it's a feature. If you don't like it, you should cause the
creation of a session before authentication. Will leave it open for further
comments before closing, though.
10 matches
Mail list logo