On 02/10/2013 22:26, Stefan Haberl wrote:
> I've a context.xml like so:
>
> useHttpOnly="true" disableURLRewriting="true" />
>
>
>
>
>
>
> I'm using Spring Security, which creates a new session after a user
> has been authenticated to prevent session fixation attacks.
> Everything works as
Hi Christopher,
I've deployed the test app on one of my test boxes (sorry, no DNS - only
IP-Address):
http://178.238.228.136:8080/TestServlet
Dump of TestServlet.java:
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.annotati
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Stefan,
On 10/3/13 5:40 AM, Stefan Haberl wrote:
> I've created a minimal test case to isolate the problem. The
> TestServlet is not doing much but invalidating sessions, generating
> new ones and checking if the new one gets a different ID than th
Hi all,
I've created a minimal test case to isolate the problem. The TestServlet is not
doing much but invalidating sessions, generating new ones and checking if the
new one gets a different ID than the old one (see attached WAR). IMHO I think
this could be a Tomcat bug?
Steps to reproduce the
Hi Chuck,
Sorry, that was a copy and paste error into my mail client. My context.xml of
course looks like:
Stefan
On 02.10.2013, at 23:36, "Caldarale, Charles R"
wrote:
>> From: Stefan Haberl [mailto:birnbu...@gmail.com]
>> Subject: Session does not get invalidated when sessionCookie
> From: Stefan Haberl [mailto:birnbu...@gmail.com]
> Subject: Session does not get invalidated when sessionCookiePath is set to "/"
> I've a context.xml like so:
> sessionCookieDomain="acme.org"
>sessionCookieName="acme"
>useHttpOnly="true"
>disableURLRewriting="true"
> />
The /
