[Bug 60854] Unintended JSESSIONID value change

2017-03-27 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854 Mark Thomas changed: What|Removed |Added Resolution|--- |WONTFIX

[Bug 60854] Unintended JSESSIONID value change

2017-03-24 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854 --- Comment #9 from Jan Engehausen --- Hi Mark, I can confirm that alwaysUseSession="true" does make all tests of the test project pass. In our real life setup we do have a custom authenticator and can implement the

[Bug 60854] Unintended JSESSIONID value change

2017-03-23 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854 --- Comment #8 from Mark Thomas --- It is worth keeping in mind the change in session ID is relatively cheap. The session object remains the same, it is just the ID field that is updated. Using alwaysUseSession="true" on the

[Bug 60854] Unintended JSESSIONID value change

2017-03-15 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854 --- Comment #7 from Jan Engehausen --- I am using org.apache.catalina.authenticator.BasicAuthenticator directly with default settings (cache="true" and changeSessionIdOnAuthentication="true").

[Bug 60854] Unintended JSESSIONID value change

2017-03-15 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854 --- Comment #6 from Christopher Schultz --- Your example does not show it; are you using cache="false" in your basic authenticator valve? You'd have to go through some hoops to effect that change. -- You are

[Bug 60854] Unintended JSESSIONID value change

2017-03-15 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854 --- Comment #5 from Jan Engehausen --- So, we discussed this and still think that in the particular scenario described (authentication and session creation in the same request), a subsequent request should not get a new

[Bug 60854] Unintended JSESSIONID value change

2017-03-13 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854 --- Comment #4 from Jan Engehausen --- I see. I need to run this by my colleagues, hope it is okay to keep open until tomorrow. I would argue that in the case where authentication and session creation occur in the same

[Bug 60854] Unintended JSESSIONID value change

2017-03-13 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854 --- Comment #3 from Remy Maucherat --- If you don't cache authentication occurs on every request. -- You are receiving this mail because: You are the assignee for the bug.

[Bug 60854] Unintended JSESSIONID value change

2017-03-13 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854 --- Comment #2 from Jan Engehausen --- Hello Remy, as far as I understand, session fixation prevention is there to change the session ID when a session becomes authenticated. That's good. But without a session to begin

[Bug 60854] Unintended JSESSIONID value change

2017-03-13 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60854 --- Comment #1 from Remy Maucherat --- My opinion is that it's a feature. If you don't like it, you should cause the creation of a session before authentication. Will leave it open for further comments before closing, though.